Edit tour

Windows Analysis Report
DRWgoZo325.exe

Overview

General Information

Sample name:	DRWgoZo325.exe renamed because original name is a hash value
Original sample name:	f5821e480d16f40d9eca6432956ae44e.exe
Analysis ID:	1581211
MD5:	f5821e480d16f40d9eca6432956ae44e
SHA1:	6b56e36b29bb7dfa195850c0bb28dbbd65a84714
SHA256:	9db2372193e9dd7736163fe1848d3912d985db145083d67bff2eae88d1206237
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AsyncRAT

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates multiple autostart registry keys

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DRWgoZo325.exe (PID: 8004 cmdline: "C:\Users\user\Desktop\DRWgoZo325.exe" MD5: F5821E480D16F40D9ECA6432956AE44E)

axplong.exe (PID: 7312 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: F5821E480D16F40D9ECA6432956AE44E)

axplong.exe (PID: 1472 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: F5821E480D16F40D9ECA6432956AE44E)

axplong.exe (PID: 7196 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: F5821E480D16F40D9ECA6432956AE44E)

32ff2fbd90.exe (PID: 1836 cmdline: "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe" MD5: B0AFC3BE5CA9E3209B844F2CF69F0625)

chrome.exe (PID: 3104 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 5488 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2200,i,14566512888853355500,13257797279014534017,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

msedge.exe (PID: 4940 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1228 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2328,i,6874197867965410317,15651413299758625886,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 3704 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\CBGCAFIIEC.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CBGCAFIIEC.exe (PID: 7656 cmdline: "C:\Users\user\Documents\CBGCAFIIEC.exe" MD5: 142A3931B0023BC4DF9E8F50E142616A)

d1e123248e.exe (PID: 1568 cmdline: "C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe" MD5: 142A3931B0023BC4DF9E8F50E142616A)

skotes.exe (PID: 2956 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 142A3931B0023BC4DF9E8F50E142616A)

daf7989e83.exe (PID: 6560 cmdline: "C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe" MD5: FFE4817D515153EE00B6C2CD538D1FD4)

WerFault.exe (PID: 5080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 500 MD5: C31336C1EFC2CCB44B4326EA793040F2)

7d4f3b6a88.exe (PID: 3380 cmdline: "C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe" MD5: DC4E6DA31928988B7F05F091C680FC07)

LummaC2.exe (PID: 1432 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 607000C61FCB5A41B8D511B5ED7625D4)

Set-up.exe (PID: 3876 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

32ff2fbd90.exe (PID: 3136 cmdline: "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe" MD5: B0AFC3BE5CA9E3209B844F2CF69F0625)

skotes.exe (PID: 4236 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 142A3931B0023BC4DF9E8F50E142616A)

d1e123248e.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe" MD5: 142A3931B0023BC4DF9E8F50E142616A)

msedge.exe (PID: 1548 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4028 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2040,i,8703990507698830119,13622165365781825224,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

32ff2fbd90.exe (PID: 2080 cmdline: "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe" MD5: B0AFC3BE5CA9E3209B844F2CF69F0625)

skotes.exe (PID: 7124 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 142A3931B0023BC4DF9E8F50E142616A)

rsn.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe" MD5: 80956DBEEA97182A0709F9BC15A4B5D7)

64T69R7.exe (PID: 6200 cmdline: "C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe" MD5: 2A73FA2FB9F993D5F412716C3369ED0A)

powershell.exe (PID: 5388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1660 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cnywnayy_638708640251469628.exe (PID: 5264 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe" MD5: 990EC3DDAD4A74B16A404FBFDD19CEA2)

b016a3d9d5.exe (PID: 3608 cmdline: "C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe" MD5: 21707CD3B6DDDC2414D474FB4E867A09)

c2ca7fb2d0.exe (PID: 6456 cmdline: MD5: 6D6BBF1E873FB791141EA7FE2C166DCF)

cnywnayy_638708640251469628.exe (PID: 8084 cmdline: MD5: 990EC3DDAD4A74B16A404FBFDD19CEA2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": ["manyrestro.lat", "curverpluch.lat", "talkynicer.lat", "tentabatte.lat", "shapestickyr.lat", "slipperyloo.lat", "censeractersj.click", "wordyfindy.lat", "bashfulacid.lat"], "Build id": "oLXh--&a"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1132:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000011.00000002.2973140461.0000000000F38000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x16d0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000011.00000002.2977025015.0000000004B40000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002C.00000003.3741043776.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1324892862.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.2676025129.0000000000991000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.2754081049.0000000000D61000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000C.00000002.2214362790.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000003.1870097821.00000000051A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000002.2261811221.0000000000561000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1334609057.0000000000761000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
00000003.00000003.1341539424.0000000004E40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000A.00000002.2166710457.0000000000561000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
00000003.00000002.1382490923.00000000003E1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000000.00000003.1294178727.0000000004F60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000002.2682614788.0000000000D61000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1365524089.00000000003E1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.2638205082.0000000000D61000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 1836	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 1836	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 1836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 1836	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 3136	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 3136	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 2080	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 32ff2fbd90.exe PID: 2080	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: skotes.exe PID: 7124	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: skotes.exe PID: 7124	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb4a2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
46.2.c2ca7fb2d0.exe.1ea6000.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
46.2.c2ca7fb2d0.exe.1ea6000.4.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
46.2.c2ca7fb2d0.exe.1ecc000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
46.2.c2ca7fb2d0.exe.1ecc000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1f88c:$str01: MachineID: 0x1e251:$str02: Work Dir: In memory 0x1f8c3:$str03: [Hardware] 0x1f875:$str04: VideoCard: 0x1eee5:$str05: [Processes] 0x1eef1:$str06: [Software] 0x1e3bb:$str07: information.txt 0x1f598:$str08: %s\* 0x1f5e5:$str08: %s\* 0x1e7a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1ed61:$str12: UseMasterPassword 0x1f8cf:$str13: Soft: WinSCP 0x1f36e:$str14: <Pass encoding="base64"> 0x1f8b2:$str15: Soft: FileZilla 0x1e3ad:$str16: passwords.txt 0x1ed8c:$str17: build_id 0x1ee80:$str18: file_data
46.2.c2ca7fb2d0.exe.1e80000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
46.2.c2ca7fb2d0.exe.1e80000.2.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
46.2.c2ca7fb2d0.exe.1ea6000.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
46.2.c2ca7fb2d0.exe.1ea6000.4.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1f88c:$str01: MachineID: 0x1e251:$str02: Work Dir: In memory 0x1f8c3:$str03: [Hardware] 0x1f875:$str04: VideoCard: 0x1eee5:$str05: [Processes] 0x1eef1:$str06: [Software] 0x1e3bb:$str07: information.txt 0x1f598:$str08: %s\* 0x1f5e5:$str08: %s\* 0x1e7a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1ed61:$str12: UseMasterPassword 0x1f8cf:$str13: Soft: WinSCP 0x1f36e:$str14: <Pass encoding="base64"> 0x1f8b2:$str15: Soft: FileZilla 0x1e3ad:$str16: passwords.txt 0x1ed8c:$str17: build_id 0x1ee80:$str18: file_data
46.2.c2ca7fb2d0.exe.1ecc000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
46.2.c2ca7fb2d0.exe.1ecc000.1.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x2068c:$str01: MachineID: 0x1f051:$str02: Work Dir: In memory 0x206c3:$str03: [Hardware] 0x20675:$str04: VideoCard: 0x1fce5:$str05: [Processes] 0x1fcf1:$str06: [Software] 0x1f1bb:$str07: information.txt 0x20398:$str08: %s\* 0x203e5:$str08: %s\* 0x1f5a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1fb61:$str12: UseMasterPassword 0x206cf:$str13: Soft: WinSCP 0x2016e:$str14: <Pass encoding="base64"> 0x206b2:$str15: Soft: FileZilla 0x1f1ad:$str16: passwords.txt 0x1fb8c:$str17: build_id 0x1fc80:$str18: file_data
46.2.c2ca7fb2d0.exe.1e80000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
46.2.c2ca7fb2d0.exe.1e80000.2.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1f88c:$str01: MachineID: 0x1e251:$str02: Work Dir: In memory 0x1f8c3:$str03: [Hardware] 0x1f875:$str04: VideoCard: 0x1eee5:$str05: [Processes] 0x1eef1:$str06: [Software] 0x1e3bb:$str07: information.txt 0x1f598:$str08: %s\* 0x1f5e5:$str08: %s\* 0x1e7a2:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x1ed61:$str12: UseMasterPassword 0x1f8cf:$str13: Soft: WinSCP 0x1f36e:$str14: <Pass encoding="base64"> 0x1f8b2:$str15: Soft: FileZilla 0x1e3ad:$str16: passwords.txt 0x1ed8c:$str17: build_id 0x1ee80:$str18: file_data
3.2.axplong.exe.3e0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.3e0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
24.2.32ff2fbd90.exe.d60000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
24.2.32ff2fbd90.exe.d60000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
14.2.skotes.exe.c00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.2.32ff2fbd90.exe.d60000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
32.2.CBGCAFIIEC.exe.990000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.2.32ff2fbd90.exe.d60000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
12.2.skotes.exe.c00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.d1e123248e.exe.560000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.DRWgoZo325.exe.760000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
18.2.d1e123248e.exe.560000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.32ff2fbd90.exe.d60000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.32ff2fbd90.exe.d60000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
9.2.32ff2fbd90.exe.d60000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
25.2.7d4f3b6a88.exe.be0000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6d30d2:$s1: Runner 0x6d3237:$s3: RunOnStartup 0x6d30e6:$a1: Antis 0x6d3113:$a2: antiVM 0x6d311a:$a3: antiSandbox 0x6d3126:$a4: antiDebug 0x6d3130:$a5: antiEmulator 0x6d313d:$a6: enablePersistence 0x6d314f:$a7: enableFakeError 0x6d3260:$a8: DetectVirtualMachine 0x6d3285:$a9: DetectSandboxie 0x6d32b0:$a10: DetectDebugger 0x6d32bf:$a11: CheckEmulator
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 7196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32ff2fbd90.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe, ParentProcessId: 6200, ParentProcessName: 64T69R7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto', ProcessId: 5388, ProcessName: powershell.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe, ParentProcessId: 1836, ParentProcessName: 32ff2fbd90.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 3104, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 7196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32ff2fbd90.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe, ParentProcessId: 6200, ParentProcessName: 64T69R7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto', ProcessId: 5388, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DRWgoZo325.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/68b591d6548ec281/freebl3.dll6	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php83m	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php.3	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dll2	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpf3	Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/7756467432/64T69R7.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllb	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/Rw	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php~3	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpJ0	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dllq	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Avira: detection malicious, Label: HEUR/AGEN.1313526
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1313526

Found malware configuration

Source: 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}
Source: 7d4f3b6a88.exe.3380.25.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["manyrestro.lat", "curverpluch.lat", "talkynicer.lat", "tentabatte.lat", "shapestickyr.lat", "slipperyloo.lat", "censeractersj.click", "wordyfindy.lat", "bashfulacid.lat"], "Build id": "oLXh--&a"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: DRWgoZo325.exe	ReversingLabs: Detection: 55%
Source: DRWgoZo325.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DRWgoZo325.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 185.215.113.43
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: S-%lu-
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: abc3bc1985
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: skotes.exe
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Startup
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Programs
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: %USERPROFILE%
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: cred.dll
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: clip.dll
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: http://
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: https://
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /quiet
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: /Plugins/
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: &unit=
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shell32.dll
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: kernel32.dll
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: GetNativeSystemInfo
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProgramData\
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: AVAST Software
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Kaspersky Lab
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Panda Security
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Doctor Web
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 360TotalSecurity
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Bitdefender
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Norton
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Sophos
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Comodo
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: WinDefender
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: 0123456789
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ------
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ?scr=1
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ComputerName
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -unicode-
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: VideoID
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.XResolution
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: DefaultSettings.YResolution
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: ProductName
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: CurrentBuild
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: rundll32.exe
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: "taskkill /f /im "
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && timeout 1 && del
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: && Exit"
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: " && ren
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: Powershell.exe
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: shutdown -s -t 0
Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp	String decryptor: random
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: hummskitnj.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: cashfuzysao.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: appliacnesot.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: screwamusresz.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: inherineau.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: scentniej.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: rebuildeso.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: prisonyfork.buzz
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: crownybusher.click
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: - Screen Resoluton:
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: Workgroup: -
Source: 0000002D.00000002.3532425651.00000000004D1000.00000040.00000001.01000000.0000001C.sdmp	String decryptor: H9zQiZ--
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 07
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 01
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 20
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 25
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetProcAddress
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: LoadLibraryA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: lstrcatA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: OpenEventA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CreateEventA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CloseHandle
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Sleep
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: VirtualFree
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetSystemInfo
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: VirtualAlloc
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: HeapAlloc
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetComputerNameA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: lstrcpyA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetProcessHeap
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetCurrentProcess
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: lstrlenA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ExitProcess
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetSystemTime
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: advapi32.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: gdi32.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: user32.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: crypt32.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetUserNameA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CreateDCA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetDeviceCaps
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ReleaseDC
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sscanf
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: VMwareVMware
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: HAL9TH
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: JohnDoe
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: DISPLAY
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: http://185.215.113.206
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: stok
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetFileAttributesA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: HeapFree
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetFileSize
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GlobalSize
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: IsWow64Process
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Process32Next
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetLocalTime
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: FreeLibrary
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetVolumeInformationA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Process32First
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetLocaleInfoA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetModuleFileNameA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: DeleteFileA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: FindNextFileA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: LocalFree
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: FindClose
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: LocalAlloc
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetFileSizeEx
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ReadFile
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SetFilePointer
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: WriteFile
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CreateFileA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: FindFirstFileA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CopyFileA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: VirtualProtect
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetLastError
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: lstrcpynA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: MultiByteToWideChar
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GlobalFree
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: WideCharToMultiByte
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GlobalAlloc
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: OpenProcess
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: TerminateProcess
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetCurrentProcessId
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: gdiplus.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ole32.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: bcrypt.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: wininet.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: shlwapi.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: shell32.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: rstrtmgr.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SelectObject
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: BitBlt
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: DeleteObject
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CreateCompatibleDC
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdiplusStartup
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdiplusShutdown
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdipDisposeImage
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GdipFree
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CoUninitialize
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CoInitialize
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CoCreateInstance
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: BCryptDecrypt
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: BCryptSetProperty
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: BCryptDestroyKey
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetWindowRect
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetDesktopWindow
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetDC
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CloseWindow
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: wsprintfA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CharToOemW
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: wsprintfW
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RegQueryValueExA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RegEnumKeyExA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RegOpenKeyExA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RegCloseKey
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RegEnumValueA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CryptUnprotectData
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SHGetFolderPathA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ShellExecuteExA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: InternetOpenUrlA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: InternetConnectA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: InternetCloseHandle
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: HttpSendRequestA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: HttpOpenRequestA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: InternetReadFile
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: InternetCrackUrlA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: StrCmpCA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: StrStrA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: StrCmpCW
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: PathMatchSpecA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RmStartSession
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RmRegisterResources
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RmGetList
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: RmEndSession
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_open
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_step
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_column_text
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_finalize
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_close
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3_column_blob
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: encrypted_key
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: PATH
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: NSS_Init
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: NSS_Shutdown
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: PK11_FreeSlot
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: PK11_Authenticate
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: C:\ProgramData\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: browser:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: profile:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: url:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: login:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: password:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Opera
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: OperaGX
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Network
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: cookies
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: .txt
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: TRUE
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: FALSE
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: autofill
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: history
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: cc
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: name:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: month:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: year:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: card:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Cookies
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Login Data
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Web Data
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: History
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: logins.json
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: formSubmitURL
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: usernameField
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: encryptedUsername
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: encryptedPassword
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: guid
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: cookies.sqlite
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: formhistory.sqlite
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: places.sqlite
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: plugins
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Local Extension Settings
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Sync Extension Settings
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: IndexedDB
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Opera Stable
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Opera GX Stable
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: CURRENT
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: chrome-extension_
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Local State
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: profiles.ini
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: chrome
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: opera
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: firefox
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: wallets
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ProductName
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: x32
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: x64
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: DisplayName
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: DisplayVersion
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Network Info:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - IP: IP?
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Country: ISO?
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: System Summary:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - HWID:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - OS:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Architecture:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - UserName:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Computer Name:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Local Time:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - UTC:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Language:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Keyboards:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Laptop:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Running Path:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - CPU:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Threads:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Cores:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - RAM:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - Display Resolution:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: - GPU:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: User Agents:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Installed Apps:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: All Users:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Current User:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Process List:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: system_info.txt
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: freebl3.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: mozglue.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: msvcp140.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: nss3.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: softokn3.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: vcruntime140.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \Temp\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: .exe
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: runas
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: open
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: /c start
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %DESKTOP%
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %APPDATA%
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %USERPROFILE%
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %DOCUMENTS%
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: %RECENT%
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: *.lnk
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: files
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \discord\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \Telegram Desktop\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: key_datas
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: map*
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Telegram
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Tox
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: *.tox
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: *.ini
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Password
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 00000001
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 00000002
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 00000003
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: 00000004
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Pidgin
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \.purple\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: accounts.xml
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: token:
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Software\Valve\Steam
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: SteamPath
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \config\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ssfn*
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: config.vdf
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: DialogConfig.vdf
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: libraryfolders.vdf
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: loginusers.vdf
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \Steam\
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: sqlite3.dll
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: done
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: soft
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: https
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: POST
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: HTTP/1.1
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: hwid
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: build
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: token
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: file_name
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: file
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: message
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C716C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	9_2_6C716C80
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C86A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	9_2_6C86A9A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8644C0 PK11_PubEncrypt,	9_2_6C8644C0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C834420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	9_2_6C834420
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C864440 PK11_PrivDecrypt,	9_2_6C864440
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8B25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	9_2_6C8B25B0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C84E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	9_2_6C84E6E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C86A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	9_2_6C86A650
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C848670 PK11_ExportEncryptedPrivKeyInfo,	9_2_6C848670
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C88A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	9_2_6C88A730

Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5e18f592-0

Source: DRWgoZo325.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: mozglue.pdbP source: 32ff2fbd90.exe, 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: nss3.pdb@ source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: 32ff2fbd90.exe, 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmp

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 29MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: censeractersj.click
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199809363512
Source: Malware configuration extractor	IPs: 185.215.113.43

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C81CC60 PR_Recv,

9_2_6C81CC60

Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://.css
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://.jpg
Source: daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/
Source: daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp
Source: daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp4
Source: daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/download
Source: daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/downloadV
Source: daf7989e83.exe, 00000011.00000003.2511550898.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000002.2979240394.00000000055A0000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2427990453.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2296574547.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2455194108.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2323232353.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/key
Source: daf7989e83.exe, 00000011.00000003.2375145034.000000000594B000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download
Source: daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download(
Source: daf7989e83.exe, 00000011.00000003.2511550898.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2427990453.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2455194108.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/ll/key
Source: daf7989e83.exe, 00000011.00000003.2511550898.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2427990453.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2296574547.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2455194108.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2323232353.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/qC9k
Source: daf7989e83.exe, 00000011.00000002.2979475918.0000000005693000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/download
Source: daf7989e83.exe, 00000011.00000003.2401506825.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2296574547.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2323232353.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.1QT
Source: skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exeH
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 0000001C.00000003.6135803850.0000000005B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/ran
Source: skotes.exe, 0000001C.00000003.4976904444.0000000005B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe9)
Source: skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exea5c
Source: 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll6
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll2
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllb
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll.
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllq
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/90
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/C
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/Rw
Source: 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/a
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000B99000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php#
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php(
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.3
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php4
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php83m
Source: 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpJ0
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpS
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8K
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpf3
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpk
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpl
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phps
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpy
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php~3
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206I
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206Y
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpd2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8Kn
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206ocal
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206ocalMicrosoft
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2001
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/7756467432/64T69R7.exe
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/7756467432/64T69R7.exeX
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exe
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exeJ
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/martin/random.exe
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/moku/random.exe
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: skotes.exe, 0000001C.00000003.3105162110.0000000000796000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001C.00000003.3132261114.000000000079A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001C.00000003.3133168688.000000000079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2615199652.0000000001429000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100034fd4
Source: Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0Z
Source: Set-up.exe, 0000001B.00000002.2615199652.0000000001429000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: skotes.exe, 0000001C.00000003.3105162110.0000000000796000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001C.00000003.3132261114.000000000079A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001C.00000003.3133168688.000000000079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coh
Source: skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://timestamp.digicert.com0
Source: daf7989e83.exe, 00000011.00000003.2626241070.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624545330.000000000596E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624346429.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626928168.0000000005967000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624416185.0000000005660000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625102028.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626169832.0000000005A21000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625475905.0000000005950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: 32ff2fbd90.exe, 32ff2fbd90.exe, 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 32ff2fbd90.exe, 00000009.00000002.2672619169.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/api
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/api)
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/apiF
Source: cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/apiX
Source: Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: daf7989e83.exe, 00000011.00000003.2626241070.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624545330.000000000596E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624346429.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626928168.0000000005967000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624416185.0000000005660000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625102028.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626169832.0000000005A21000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625475905.0000000005950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g-cleanit.hk
Source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/ktiwpptkkmgmawd.exe
Source: Set-up.exe, 0000001B.00000003.2372989385.0000000001A85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
Source: daf7989e83.exe, 00000011.00000003.2626241070.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624545330.000000000596E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624346429.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626928168.0000000005967000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624416185.0000000005660000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625102028.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626169832.0000000005A21000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625475905.0000000005950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: skotes.exe, 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7124, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 46.2.c2ca7fb2d0.exe.1ea6000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 46.2.c2ca7fb2d0.exe.1ecc000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 46.2.c2ca7fb2d0.exe.1e80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 46.2.c2ca7fb2d0.exe.1ea6000.4.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 46.2.c2ca7fb2d0.exe.1ecc000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 46.2.c2ca7fb2d0.exe.1e80000.2.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 24.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 9.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 25.2.7d4f3b6a88.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000011.00000002.2973140461.0000000000F38000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000011.00000002.2977025015.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: Process Memory Space: skotes.exe PID: 7124, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

PE file contains section with special chars

Source: DRWgoZo325.exe	Static PE information: section name:
Source: DRWgoZo325.exe	Static PE information: section name: .idata
Source: DRWgoZo325.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe.5.dr	Static PE information: section name:
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name:
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name: .idata
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name:
Source: 32ff2fbd90.exe.5.dr	Static PE information: section name:
Source: 32ff2fbd90.exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe1.5.dr	Static PE information: section name:
Source: random[1].exe1.5.dr	Static PE information: section name: .idata
Source: d1e123248e.exe.5.dr	Static PE information: section name:
Source: d1e123248e.exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe2.5.dr	Static PE information: section name:
Source: random[1].exe2.5.dr	Static PE information: section name: .idata
Source: random[1].exe2.5.dr	Static PE information: section name:
Source: daf7989e83.exe.5.dr	Static PE information: section name:
Source: daf7989e83.exe.5.dr	Static PE information: section name: .idata
Source: daf7989e83.exe.5.dr	Static PE information: section name:
Source: skotes.exe.10.dr	Static PE information: section name:
Source: skotes.exe.10.dr	Static PE information: section name: .idata

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C76B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	9_2_6C76B700
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C76B8C0 rand_s,NtQueryVirtualMemory,	9_2_6C76B8C0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C76B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	9_2_6C76B910
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C70F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	9_2_6C70F280

Source: C:\Users\user\Desktop\DRWgoZo325.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	File created: C:\Windows\Tasks\skotes.job			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7035A0	9_2_6C7035A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C77545C	9_2_6C77545C
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C715440	9_2_6C715440
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C77542B	9_2_6C77542B
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C745C10	9_2_6C745C10
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C752C10	9_2_6C752C10
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C77AC00	9_2_6C77AC00
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C746CF0	9_2_6C746CF0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C70D4E0	9_2_6C70D4E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C74BCD4	9_2_6C74BCD4
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C72D4D0	9_2_6C72D4D0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7164C0	9_2_6C7164C0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7634A0	9_2_6C7634A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C76C4A0	9_2_6C76C4A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C716C80	9_2_6C716C80
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C730512	9_2_6C730512
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C72ED10	9_2_6C72ED10
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C71FD00	9_2_6C71FD00
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7685F0	9_2_6C7685F0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C740DD0	9_2_6C740DD0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C70C670	9_2_6C70C670
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C776E63	9_2_6C776E63
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C729E50	9_2_6C729E50
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C743E50	9_2_6C743E50
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C724640	9_2_6C724640
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C752E4E	9_2_6C752E4E
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C769E30	9_2_6C769E30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C747E10	9_2_6C747E10
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C755600	9_2_6C755600
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C70BEF0	9_2_6C70BEF0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C71FEF0	9_2_6C71FEF0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7776E3	9_2_6C7776E3
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C764EA0	9_2_6C764EA0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C725E90	9_2_6C725E90
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C76E680	9_2_6C76E680
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C747710	9_2_6C747710
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C719F00	9_2_6C719F00
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C736FF0	9_2_6C736FF0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C70DFE0	9_2_6C70DFE0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7577A0	9_2_6C7577A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C74F070	9_2_6C74F070
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C728850	9_2_6C728850
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C72D850	9_2_6C72D850
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C754820	9_2_6C754820
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C717810	9_2_6C717810
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C72C0E0	9_2_6C72C0E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7458E0	9_2_6C7458E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7750C7	9_2_6C7750C7
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7360A0	9_2_6C7360A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C75B970	9_2_6C75B970
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C77B170	9_2_6C77B170
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C71D960	9_2_6C71D960
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C72A940	9_2_6C72A940
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C73D9B0	9_2_6C73D9B0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C70C9A0	9_2_6C70C9A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C745190	9_2_6C745190
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C762990	9_2_6C762990
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C749A60	9_2_6C749A60
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C721AF0	9_2_6C721AF0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C74E2F0	9_2_6C74E2F0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C748AC0	9_2_6C748AC0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C71CAB0	9_2_6C71CAB0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C772AB0	9_2_6C772AB0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7022A0	9_2_6C7022A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C734AA0	9_2_6C734AA0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C77BA90	9_2_6C77BA90
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C71C370	9_2_6C71C370
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C705340	9_2_6C705340
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C74D320	9_2_6C74D320
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7753C8	9_2_6C7753C8
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C70F380	9_2_6C70F380
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7BAC60	9_2_6C7BAC60
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C80ECD0	9_2_6C80ECD0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C876C00	9_2_6C876C00
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C88AC30	9_2_6C88AC30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7AECC0	9_2_6C7AECC0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C846D90	9_2_6C846D90
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C93CDC0	9_2_6C93CDC0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C938D20	9_2_6C938D20
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7B4DB0	9_2_6C7B4DB0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8DAD50	9_2_6C8DAD50
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C87ED70	9_2_6C87ED70
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C836E90	9_2_6C836E90
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C850EC0	9_2_6C850EC0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C890E20	9_2_6C890E20
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7BAEC0	9_2_6C7BAEC0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C84EE70	9_2_6C84EE70
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8F8FB0	9_2_6C8F8FB0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7B6F10	9_2_6C7B6F10
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C88EFF0	9_2_6C88EFF0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7B0FE0	9_2_6C7B0FE0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8F0F20	9_2_6C8F0F20
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C81EF40	9_2_6C81EF40
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7BEFB0	9_2_6C7BEFB0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C872F70	9_2_6C872F70
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8B68E0	9_2_6C8B68E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C800820	9_2_6C800820
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C83A820	9_2_6C83A820
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C884840	9_2_6C884840
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7E8960	9_2_6C7E8960
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8409A0	9_2_6C8409A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C86A9A0	9_2_6C86A9A0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8709B0	9_2_6C8709B0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8CC9E0	9_2_6C8CC9E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C806900	9_2_6C806900
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7E49F0	9_2_6C7E49F0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C82EA80	9_2_6C82EA80
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C85EA00	9_2_6C85EA00
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C868A30	9_2_6C868A30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C82CA70	9_2_6C82CA70
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C850BA0	9_2_6C850BA0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8B6BE0	9_2_6C8B6BE0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8DA480	9_2_6C8DA480
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7C8460	9_2_6C7C8460
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C84A4D0	9_2_6C84A4D0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C814420	9_2_6C814420
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7F64D0	9_2_6C7F64D0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C83A430	9_2_6C83A430
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C87A5E0	9_2_6C87A5E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C83E5F0	9_2_6C83E5F0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C808540	9_2_6C808540
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7A45B0	9_2_6C7A45B0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8B4540	9_2_6C8B4540
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8F8550	9_2_6C8F8550
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C812560	9_2_6C812560
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C850570	9_2_6C850570
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C80E6E0	9_2_6C80E6E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C84E6E0	9_2_6C84E6E0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7D46D0	9_2_6C7D46D0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C80C650	9_2_6C80C650
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C830700	9_2_6C830700
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7DA7D0	9_2_6C7DA7D0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7FE070	9_2_6C7FE070
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C88C0B0	9_2_6C88C0B0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C87C000	9_2_6C87C000
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C878010	9_2_6C878010
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7C00B0	9_2_6C7C00B0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C7A8090	9_2_6C7A8090

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: String function: 6C7D3620 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: String function: 6C73CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: String function: 6C7494D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: String function: 6C7D9B10 appears 39 times

Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 500

Source: DRWgoZo325.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 46.2.c2ca7fb2d0.exe.1ea6000.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 46.2.c2ca7fb2d0.exe.1ecc000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 46.2.c2ca7fb2d0.exe.1e80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 46.2.c2ca7fb2d0.exe.1ea6000.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 46.2.c2ca7fb2d0.exe.1ecc000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 46.2.c2ca7fb2d0.exe.1e80000.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 24.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 11.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 9.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 25.2.7d4f3b6a88.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000011.00000002.2973140461.0000000000F38000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000011.00000002.2977025015.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: Process Memory Space: skotes.exe PID: 7124, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: DRWgoZo325.exe	Static PE information: Section: ZLIB complexity 0.9971581232970027
Source: DRWgoZo325.exe	Static PE information: Section: rkpvjsjf ZLIB complexity 0.9943318684895833
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9971581232970027
Source: axplong.exe.0.dr	Static PE information: Section: rkpvjsjf ZLIB complexity 0.9943318684895833
Source: random[1].exe.5.dr	Static PE information: Section: ugefwulq ZLIB complexity 0.9947546009335783
Source: 7d4f3b6a88.exe.5.dr	Static PE information: Section: ugefwulq ZLIB complexity 0.9947546009335783
Source: random[1].exe2.5.dr	Static PE information: Section: viztzmws ZLIB complexity 0.9902269703266259
Source: daf7989e83.exe.5.dr	Static PE information: Section: viztzmws ZLIB complexity 0.9902269703266259

Source: random[1].exe1.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: d1e123248e.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.10.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: DRWgoZo325.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: axplong.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@79/53@0/23

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C767030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

9_2_6C767030

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6560
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\DRWgoZo325.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\DRWgoZo325.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DRWgoZo325.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp, 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp, 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp, 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp, 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 32ff2fbd90.exe, 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp, 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp, 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 32ff2fbd90.exe, 00000009.00000003.2379313429.000000000524D000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000003.2224473336.0000000005259000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 32ff2fbd90.exe, 00000009.00000002.2672453230.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: DRWgoZo325.exe	ReversingLabs: Detection: 55%
Source: DRWgoZo325.exe	Virustotal: Detection: 47%

Source: DRWgoZo325.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\DRWgoZo325.exe

File read: C:\Users\user\Desktop\DRWgoZo325.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DRWgoZo325.exe "C:\Users\user\Desktop\DRWgoZo325.exe"
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe "C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2200,i,14566512888853355500,13257797279014534017,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe "C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe "C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe"
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2328,i,6874197867965410317,15651413299758625886,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2040,i,8703990507698830119,13622165365781825224,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe "C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe"
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\CBGCAFIIEC.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\CBGCAFIIEC.exe "C:\Users\user\Documents\CBGCAFIIEC.exe"
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 500
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe "C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe "C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe"
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe "C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe"
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe "C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe "C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe "C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\CBGCAFIIEC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2200,i,14566512888853355500,13257797279014534017,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2328,i,6874197867965410317,15651413299758625886,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2040,i,8703990507698830119,13622165365781825224,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe "C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe "C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe "C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\CBGCAFIIEC.exe "C:\Users\user\Documents\CBGCAFIIEC.exe"
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto'
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe"
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Section loaded: winmm.dll
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Section loaded: wininet.dll
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\DRWgoZo325.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.13.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Automated click: OK
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: DRWgoZo325.exe

Static file information: File size 1924096 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: DRWgoZo325.exe

Static PE information: Raw size of rkpvjsjf is bigger than: 0x100000 < 0x1a4000

Source:	Binary string: mozglue.pdbP source: 32ff2fbd90.exe, 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: nss3.pdb@ source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 32ff2fbd90.exe, 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: 32ff2fbd90.exe, 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Unpacked PE file: 0.2.DRWgoZo325.exe.760000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkpvjsjf:EW;moaphpaf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkpvjsjf:EW;moaphpaf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkpvjsjf:EW;moaphpaf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkpvjsjf:EW;moaphpaf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkpvjsjf:EW;moaphpaf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkpvjsjf:EW;moaphpaf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Unpacked PE file: 9.2.32ff2fbd90.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;kosvbopd:EW;gvemugdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;kosvbopd:EW;gvemugdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Unpacked PE file: 10.2.d1e123248e.exe.560000.0.unpack :EW;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Unpacked PE file: 11.2.32ff2fbd90.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;kosvbopd:EW;gvemugdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;kosvbopd:EW;gvemugdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 12.2.skotes.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 14.2.skotes.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Unpacked PE file: 17.2.daf7989e83.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;viztzmws:EW;cutnkula:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Unpacked PE file: 18.2.d1e123248e.exe.560000.0.unpack :EW;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Unpacked PE file: 24.2.32ff2fbd90.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;kosvbopd:EW;gvemugdt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;kosvbopd:EW;gvemugdt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Unpacked PE file: 25.2.7d4f3b6a88.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ugefwulq:EW;sehsycct:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Unpacked PE file: 32.2.CBGCAFIIEC.exe.990000.0.unpack :EW;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xcljfhyk:EW;mqunepnm:EW;.taggant:EW;

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C76C410 LoadLibraryW,GetProcAddress,FreeLibrary,

9_2_6C76C410

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.5.dr	Static PE information: real checksum: 0x5db29f should be: 0x5e0157
Source: random[1].exe1.5.dr	Static PE information: real checksum: 0x328ba0 should be: 0x3265d5
Source: d1e123248e.exe.5.dr	Static PE information: real checksum: 0x328ba0 should be: 0x3265d5
Source: skotes.exe.10.dr	Static PE information: real checksum: 0x328ba0 should be: 0x3265d5
Source: DRWgoZo325.exe	Static PE information: real checksum: 0x1ddd5b should be: 0x1ddfcf
Source: random[1].exe2.5.dr	Static PE information: real checksum: 0x1e8d46 should be: 0x1e366b
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1ddd5b should be: 0x1ddfcf
Source: daf7989e83.exe.5.dr	Static PE information: real checksum: 0x1e8d46 should be: 0x1e366b
Source: LummaC2.exe.25.dr	Static PE information: real checksum: 0x0 should be: 0x4fec3
Source: 32ff2fbd90.exe.5.dr	Static PE information: real checksum: 0x4f6a46 should be: 0x4fb1d3
Source: 7d4f3b6a88.exe.5.dr	Static PE information: real checksum: 0x5db29f should be: 0x5e0157

Source: DRWgoZo325.exe	Static PE information: section name:
Source: DRWgoZo325.exe	Static PE information: section name: .idata
Source: DRWgoZo325.exe	Static PE information: section name:
Source: DRWgoZo325.exe	Static PE information: section name: rkpvjsjf
Source: DRWgoZo325.exe	Static PE information: section name: moaphpaf
Source: DRWgoZo325.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: rkpvjsjf
Source: axplong.exe.0.dr	Static PE information: section name: moaphpaf
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: ugefwulq
Source: random[1].exe.5.dr	Static PE information: section name: sehsycct
Source: random[1].exe.5.dr	Static PE information: section name: .taggant
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name:
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name: .idata
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name:
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name: ugefwulq
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name: sehsycct
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name: .taggant
Source: 32ff2fbd90.exe.5.dr	Static PE information: section name:
Source: 32ff2fbd90.exe.5.dr	Static PE information: section name: .idata
Source: 32ff2fbd90.exe.5.dr	Static PE information: section name: kosvbopd
Source: 32ff2fbd90.exe.5.dr	Static PE information: section name: gvemugdt
Source: 32ff2fbd90.exe.5.dr	Static PE information: section name: .taggant
Source: random[1].exe1.5.dr	Static PE information: section name:
Source: random[1].exe1.5.dr	Static PE information: section name: .idata
Source: random[1].exe1.5.dr	Static PE information: section name: xcljfhyk
Source: random[1].exe1.5.dr	Static PE information: section name: mqunepnm
Source: random[1].exe1.5.dr	Static PE information: section name: .taggant
Source: d1e123248e.exe.5.dr	Static PE information: section name:
Source: d1e123248e.exe.5.dr	Static PE information: section name: .idata
Source: d1e123248e.exe.5.dr	Static PE information: section name: xcljfhyk
Source: d1e123248e.exe.5.dr	Static PE information: section name: mqunepnm
Source: d1e123248e.exe.5.dr	Static PE information: section name: .taggant
Source: random[1].exe2.5.dr	Static PE information: section name:
Source: random[1].exe2.5.dr	Static PE information: section name: .idata
Source: random[1].exe2.5.dr	Static PE information: section name:
Source: random[1].exe2.5.dr	Static PE information: section name: viztzmws
Source: random[1].exe2.5.dr	Static PE information: section name: cutnkula
Source: random[1].exe2.5.dr	Static PE information: section name: .taggant
Source: daf7989e83.exe.5.dr	Static PE information: section name:
Source: daf7989e83.exe.5.dr	Static PE information: section name: .idata
Source: daf7989e83.exe.5.dr	Static PE information: section name:
Source: daf7989e83.exe.5.dr	Static PE information: section name: viztzmws
Source: daf7989e83.exe.5.dr	Static PE information: section name: cutnkula
Source: daf7989e83.exe.5.dr	Static PE information: section name: .taggant
Source: freebl3.dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.9.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.9.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.9.dr	Static PE information: section name: .didat
Source: skotes.exe.10.dr	Static PE information: section name:
Source: skotes.exe.10.dr	Static PE information: section name: .idata
Source: skotes.exe.10.dr	Static PE information: section name: xcljfhyk
Source: skotes.exe.10.dr	Static PE information: section name: mqunepnm
Source: skotes.exe.10.dr	Static PE information: section name: .taggant
Source: Set-up.exe.25.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C73B536 push ecx; ret

9_2_6C73B549

Source: DRWgoZo325.exe	Static PE information: section name: entropy: 7.981458864022524
Source: DRWgoZo325.exe	Static PE information: section name: rkpvjsjf entropy: 7.954036468400131
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.981458864022524
Source: axplong.exe.0.dr	Static PE information: section name: rkpvjsjf entropy: 7.954036468400131
Source: random[1].exe.5.dr	Static PE information: section name: ugefwulq entropy: 7.954910135725951
Source: 7d4f3b6a88.exe.5.dr	Static PE information: section name: ugefwulq entropy: 7.954910135725951
Source: random[1].exe1.5.dr	Static PE information: section name: entropy: 7.153402973256315
Source: d1e123248e.exe.5.dr	Static PE information: section name: entropy: 7.153402973256315
Source: random[1].exe2.5.dr	Static PE information: section name: viztzmws entropy: 7.948652519238467
Source: daf7989e83.exe.5.dr	Static PE information: section name: viztzmws entropy: 7.948652519238467
Source: skotes.exe.10.dr	Static PE information: section name: entropy: 7.153402973256315

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\DRWgoZo325.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7124, type: MEMORYSTR

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d1e123248e.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 32ff2fbd90.exe			Jump to behavior

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\Desktop\DRWgoZo325.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 32ff2fbd90.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 32ff2fbd90.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d1e123248e.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d1e123248e.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C7655F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_6C7655F0

Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7124, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\DRWgoZo325.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: PROCMON.EXE
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: X64DBG.EXE
Source: skotes.exe, 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 7d4f3b6a88.exe, 00000019.00000002.2374370764.0000000000BE2000.00000040.00000001.01000000.0000000F.sdmp, 7d4f3b6a88.exe, 00000019.00000003.2330550240.00000000053C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLN@
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: WINDBG.EXE
Source: Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 7CF4C6 second address: 7CF4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 7CF4CA second address: 7CF4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F871CC399FFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 7CF4E1 second address: 7CF4FA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F871CD54406h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 947518 second address: 94751C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94751C second address: 947522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 947522 second address: 947528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 947528 second address: 94752C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9477C7 second address: 9477D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F871CC399F6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AAED second address: 94AB0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F871CD54406h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AB0A second address: 94AB10 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AB10 second address: 94AB66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b js 00007F871CD5440Ch 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007F871CD5440Eh 0x00000020 pop eax 0x00000021 lea ebx, dword ptr [ebp+1244F942h] 0x00000027 adc edx, 65CC2727h 0x0000002d push eax 0x0000002e pushad 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 jc 00007F871CD54406h 0x00000038 popad 0x00000039 push eax 0x0000003a push edx 0x0000003b jbe 00007F871CD54406h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94ABE0 second address: 94AC55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F871CC399FAh 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e jnp 00007F871CC39A02h 0x00000014 jne 00007F871CC399FCh 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F871CC399F8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 push edi 0x00000036 pushad 0x00000037 mov ebx, dword ptr [ebp+122D3A41h] 0x0000003d mov bl, 47h 0x0000003f popad 0x00000040 pop edi 0x00000041 add dword ptr [ebp+122D2BB7h], esi 0x00000047 mov dword ptr [ebp+122D2AF3h], edi 0x0000004d push 00000000h 0x0000004f mov si, ax 0x00000052 push D7EB8740h 0x00000057 pushad 0x00000058 push ecx 0x00000059 js 00007F871CC399F6h 0x0000005f pop ecx 0x00000060 js 00007F871CC399FCh 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AC55 second address: 94ACFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 28147940h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F871CD54408h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 movzx ecx, di 0x00000029 push 00000003h 0x0000002b mov edi, dword ptr [ebp+122D38C5h] 0x00000031 push 00000000h 0x00000033 mov di, 1860h 0x00000037 push 00000003h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007F871CD54408h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 sub dword ptr [ebp+122D1C38h], ecx 0x00000059 call 00007F871CD54409h 0x0000005e jl 00007F871CD5441Dh 0x00000064 jmp 00007F871CD54417h 0x00000069 push eax 0x0000006a jnl 00007F871CD5440Eh 0x00000070 mov eax, dword ptr [esp+04h] 0x00000074 push eax 0x00000075 push edx 0x00000076 jc 00007F871CD54408h 0x0000007c pushad 0x0000007d popad 0x0000007e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94ACFE second address: 94AD65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F871CC399F6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jno 00007F871CC399FCh 0x00000015 jmp 00007F871CC399FEh 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007F871CC39A05h 0x00000024 pop eax 0x00000025 mov esi, 02C19BF8h 0x0000002a mov si, 8FD8h 0x0000002e lea ebx, dword ptr [ebp+1244F94Bh] 0x00000034 pushad 0x00000035 movzx edx, si 0x00000038 popad 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jp 00007F871CC399FCh 0x00000042 jo 00007F871CC399F6h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AD65 second address: 94AD94 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F871CD5441Dh 0x00000008 jmp 00007F871CD54417h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 jbe 00007F871CD5440Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AE50 second address: 94AE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AE56 second address: 94AE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AF0D second address: 94AF18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F871CC399F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AF18 second address: 94AF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F871CD54416h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AF3B second address: 94AF62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c pushad 0x0000000d jng 00007F871CC399F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AF62 second address: 94AF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 94AF71 second address: 94AFC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F871CC399F8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov cx, AB63h 0x00000026 lea ebx, dword ptr [ebp+1244F956h] 0x0000002c jmp 00007F871CC39A02h 0x00000031 xor cx, 65C7h 0x00000036 xchg eax, ebx 0x00000037 pushad 0x00000038 push esi 0x00000039 jng 00007F871CC399F6h 0x0000003f pop esi 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96BEFD second address: 96BF19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD54418h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96BF19 second address: 96BF23 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F871CC399F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 969DAD second address: 969DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jng 00007F871CD54406h 0x0000000c jng 00007F871CD54406h 0x00000012 popad 0x00000013 js 00007F871CD5440Eh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96A626 second address: 96A630 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F871CC399FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96AA8D second address: 96AA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96AA91 second address: 96AAA0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F871CC399F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96AAA0 second address: 96AAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push ecx 0x00000007 pushad 0x00000008 jmp 00007F871CD54415h 0x0000000d jmp 00007F871CD5440Dh 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9412B9 second address: 9412D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96B09B second address: 96B09F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96B09F second address: 96B0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F871CC399F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96B90E second address: 96B916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96B916 second address: 96B91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96BD5D second address: 96BD63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96BD63 second address: 96BD68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 96F074 second address: 96F097 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F871CD54425h 0x00000008 jmp 00007F871CD54419h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 93747F second address: 937485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 937485 second address: 937489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 970F22 second address: 970F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 971610 second address: 971633 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F871CD54416h 0x00000008 jmp 00007F871CD54410h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 979945 second address: 97994E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97994E second address: 97997D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F871CD54406h 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F871CD54412h 0x00000013 jmp 00007F871CD5440Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97997D second address: 9799A0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F871CC399F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F871CC39A05h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9799A0 second address: 9799BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CD54419h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9799BD second address: 9799C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 979C3F second address: 979C73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F871CD54406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jnp 00007F871CD54406h 0x00000013 jnl 00007F871CD54406h 0x00000019 pop edi 0x0000001a jmp 00007F871CD5440Fh 0x0000001f pushad 0x00000020 jns 00007F871CD54406h 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 979C73 second address: 979C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97A446 second address: 97A44C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97A44C second address: 97A482 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 00E09529h 0x00000010 mov esi, ebx 0x00000012 mov edi, dword ptr [ebp+122D3C05h] 0x00000018 push 7AF975F7h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F871CC399FFh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97A7F4 second address: 97A7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AA88 second address: 97AA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AF25 second address: 97AF30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F871CD54406h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AF30 second address: 97AF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AF3E second address: 97AF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AF42 second address: 97AF4C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F871CC399F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AF4C second address: 97AF52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AF52 second address: 97AF56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AF90 second address: 97AFAA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F871CD5440Ch 0x00000014 jnp 00007F871CD54406h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97AFAA second address: 97AFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F871CC399F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97B1F3 second address: 97B1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97BAA6 second address: 97BAAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97BAAC second address: 97BB4D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F871CD54411h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F871CD54413h 0x00000012 jmp 00007F871CD54412h 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F871CD54408h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 jmp 00007F871CD5440Dh 0x00000038 push 00000000h 0x0000003a mov di, cx 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007F871CD54408h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 00000019h 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 mov edi, 5A331395h 0x0000005e push eax 0x0000005f pushad 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97C533 second address: 97C537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97C385 second address: 97C38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97C537 second address: 97C53B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97C53B second address: 97C558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F871CD5440Ch 0x0000000c jnp 00007F871CD54406h 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F871CD54406h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97C558 second address: 97C572 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F871CC399F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F871CC399FEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97C572 second address: 97C576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97C576 second address: 97C601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F871CC39A05h 0x0000000d mov edi, dword ptr [ebp+122D2D36h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F871CC399F8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F871CC399F8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov esi, dword ptr [ebp+122D39E5h] 0x00000051 xchg eax, ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F871CC39A05h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D428 second address: 97D42E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97CD3A second address: 97CD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D42E second address: 97D43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D43D second address: 97D441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D441 second address: 97D445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D445 second address: 97D44B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D44B second address: 97D4A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F871CD54406h 0x00000009 jmp 00007F871CD54419h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 and edi, dword ptr [ebp+122D3AD5h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F871CD54408h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 cmc 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D4A5 second address: 97D4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97D4AB second address: 97D4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DE45 second address: 97DE6A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F871CC399F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007F871CC399F6h 0x00000011 jmp 00007F871CC399FBh 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DBB9 second address: 97DBCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F871CD5440Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DE6A second address: 97DE87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DBCB second address: 97DBCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DE87 second address: 97DEF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, 83EFh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F871CC399F8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a call 00007F871CC399FFh 0x0000002f cmc 0x00000030 pop esi 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 push edx 0x00000035 mov di, A788h 0x00000039 pop edi 0x0000003a pop esi 0x0000003b xchg eax, ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F871CC39A03h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DBCF second address: 97DBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 js 00007F871CD5440Ch 0x0000000f jo 00007F871CD54406h 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F871CD54406h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DEF6 second address: 97DF12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC39A08h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DF12 second address: 97DF16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97DF16 second address: 97DF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97E9C0 second address: 97E9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 js 00007F871CD5440Ch 0x0000000e jne 00007F871CD54406h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97E9D9 second address: 97EA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F871CC399F8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D1C04h], eax 0x00000027 push 00000000h 0x00000029 xor esi, dword ptr [ebp+122D3BC9h] 0x0000002f push 00000000h 0x00000031 call 00007F871CC399FAh 0x00000036 mov di, 24C3h 0x0000003a pop edi 0x0000003b xchg eax, ebx 0x0000003c pushad 0x0000003d ja 00007F871CC39A0Ch 0x00000043 pushad 0x00000044 pushad 0x00000045 popad 0x00000046 jmp 00007F871CC399FBh 0x0000004b popad 0x0000004c popad 0x0000004d push eax 0x0000004e jo 00007F871CC39A11h 0x00000054 push eax 0x00000055 push edx 0x00000056 ja 00007F871CC399F6h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97F4AB second address: 97F528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F871CD54408h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 pushad 0x00000024 and ch, FFFFFF86h 0x00000027 popad 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F871CD54408h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 or esi, dword ptr [ebp+122D1B28h] 0x0000004c movzx edi, bx 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 jns 00007F871CD5441Bh 0x00000058 jmp 00007F871CD54415h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97F528 second address: 97F545 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F871CC39A02h 0x00000010 jg 00007F871CC399FCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97FEB2 second address: 97FECE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97FECE second address: 97FEE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC39A02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97FEE4 second address: 97FEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97FEE8 second address: 97FF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D3B8Dh] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F871CC399F8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b add di, E12Ah 0x00000030 push 00000000h 0x00000032 xchg eax, ebx 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97FF23 second address: 97FF27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97FF27 second address: 97FF48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F871CC399FCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 97FF48 second address: 97FF52 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 983AFC second address: 983B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F871CC399F8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov ebx, dword ptr [ebp+12455243h] 0x0000002e pushad 0x0000002f clc 0x00000030 jmp 00007F871CC39A06h 0x00000035 popad 0x00000036 push 00000000h 0x00000038 call 00007F871CC399FAh 0x0000003d sbb ebx, 76BFB226h 0x00000043 pop ebx 0x00000044 mov ebx, 294DD026h 0x00000049 push eax 0x0000004a pushad 0x0000004b push ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 984C31 second address: 984C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 984C35 second address: 984C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F871CC399F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 984C43 second address: 984C63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F871CD54412h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 984C63 second address: 984C68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 983DAE second address: 983DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F871CD54408h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 985C68 second address: 985CAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jbe 00007F871CC39A02h 0x00000011 jmp 00007F871CC399FCh 0x00000016 nop 0x00000017 push 00000000h 0x00000019 xor edi, 175B9C01h 0x0000001f push 00000000h 0x00000021 and di, 9F07h 0x00000026 push edi 0x00000027 mov dword ptr [ebp+122D2DBAh], edx 0x0000002d pop ebx 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 983DBF second address: 983DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 985CAF second address: 985CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 983DC5 second address: 983DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 984DDC second address: 984DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 984DE3 second address: 984DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F871CD5440Ch 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 986C48 second address: 986C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 984DFC second address: 984E06 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 986C4C second address: 986C52 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 986C52 second address: 986C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 985E71 second address: 985E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 987CF1 second address: 987D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F871CD54412h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 987D13 second address: 987D19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 987D19 second address: 987D97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F871CD54408h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F871CD54408h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov edi, 17CC988Fh 0x00000045 push 00000000h 0x00000047 xor dword ptr [ebp+122D1C38h], esi 0x0000004d mov bx, cx 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F871CD54410h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 987D97 second address: 987DBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 987DBA second address: 987DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 986DEE second address: 986E64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F871CC39A06h 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov di, 89BAh 0x00000014 jmp 00007F871CC399FAh 0x00000019 push dword ptr fs:[00000000h] 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F871CC399F8h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov edi, 082323A7h 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov ebx, ecx 0x00000048 mov eax, dword ptr [ebp+122D034Dh] 0x0000004e push FFFFFFFFh 0x00000050 mov dword ptr [ebp+122D2DA7h], ebx 0x00000056 nop 0x00000057 pushad 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 986E64 second address: 986E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD5440Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 988E44 second address: 988E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 988E60 second address: 988EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F871CD54408h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007F871CD54408h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 00000014h 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d mov di, si 0x00000040 push 00000000h 0x00000042 xchg eax, esi 0x00000043 push ecx 0x00000044 push ecx 0x00000045 pushad 0x00000046 popad 0x00000047 pop ecx 0x00000048 pop ecx 0x00000049 push eax 0x0000004a push edi 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F871CD54415h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 989FE9 second address: 989FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98B062 second address: 98B0E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F871CD54413h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F871CD54408h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b and edi, dword ptr [ebp+122D2D46h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F871CD54408h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d mov dword ptr [ebp+1244C908h], edx 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jmp 00007F871CD54410h 0x0000005a push eax 0x0000005b push edx 0x0000005c ja 00007F871CD54406h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98E11D second address: 98E175 instructions: 0x00000000 rdtsc 0x00000002 je 00007F871CC399FEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a js 00007F871CC399F6h 0x00000010 push eax 0x00000011 jmp 00007F871CC39A09h 0x00000016 pop eax 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F871CC399FAh 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F871CC39A08h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98B305 second address: 98B332 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007F871CD54408h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F871CD54419h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98B332 second address: 98B336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98F972 second address: 98F999 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F871CD5441Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98F999 second address: 98F99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98F99D second address: 98F9A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98F9A3 second address: 98F9A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99091B second address: 990925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F871CD54406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98F9A9 second address: 98F9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 991872 second address: 9918E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F871CD54419h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bx, di 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d jne 00007F871CD54412h 0x00000023 mov eax, dword ptr [ebp+122D010Dh] 0x00000029 mov bx, 754Ch 0x0000002d push FFFFFFFFh 0x0000002f jno 00007F871CD54409h 0x00000035 nop 0x00000036 jmp 00007F871CD54414h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push esi 0x0000003f push eax 0x00000040 pop eax 0x00000041 pop esi 0x00000042 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 993833 second address: 993837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 993837 second address: 993841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 993841 second address: 993845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 993845 second address: 9938D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54416h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jl 00007F871CD54410h 0x00000011 nop 0x00000012 mov edi, dword ptr [ebp+122D2BFBh] 0x00000018 mov bl, dl 0x0000001a push dword ptr fs:[00000000h] 0x00000021 movsx edi, di 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov dword ptr [ebp+1247AD9Ch], ecx 0x00000031 mov eax, dword ptr [ebp+122D020Dh] 0x00000037 js 00007F871CD5440Ch 0x0000003d mov edi, dword ptr [ebp+122D2D54h] 0x00000043 push FFFFFFFFh 0x00000045 mov edi, dword ptr [ebp+122D3AA9h] 0x0000004b call 00007F871CD54413h 0x00000050 mov ebx, dword ptr [ebp+122D3C3Dh] 0x00000056 pop edi 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push edi 0x0000005c pop edi 0x0000005d jns 00007F871CD54406h 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9938D8 second address: 9938E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9938E7 second address: 9938EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 994776 second address: 99477C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 994822 second address: 994826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 994826 second address: 99482C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99A575 second address: 99A580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99A580 second address: 99A589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99EFCE second address: 99EFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 942DE2 second address: 942DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 942DE6 second address: 942E04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F871CD54418h 0x0000000c jmp 00007F871CD5440Ch 0x00000011 jc 00007F871CD54406h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99E878 second address: 99E87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99E9DE second address: 99E9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F871CD54415h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99E9FD second address: 99EA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99EB8F second address: 99EB94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99EB94 second address: 99EB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 99EB9F second address: 99EBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A43E9 second address: 9A43EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A7FB6 second address: 9A8003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jno 00007F871CD54406h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F871CD5440Bh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ebx 0x0000001c jmp 00007F871CD54414h 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 jmp 00007F871CD54413h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A857B second address: 9A857F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A857F second address: 9A85B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Fh 0x00000007 jmp 00007F871CD54418h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007F871CD54406h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A85B9 second address: 9A85C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A85C1 second address: 9A85C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A873A second address: 9A8744 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F871CC399FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A889B second address: 9A88AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD5440Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A88AE second address: 9A88B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A88B2 second address: 9A88B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A8E69 second address: 9A8E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A8E6D second address: 9A8E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A8E71 second address: 9A8E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9A8E7C second address: 9A8E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F871CD54406h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEFA8 second address: 9AEFC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F871CC399FEh 0x0000000c jno 00007F871CC399F6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEFC0 second address: 9AEFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEFC6 second address: 9AEFD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F871CC399F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEFD8 second address: 9AEFFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F871CD5440Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F871CD5440Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AD923 second address: 9AD929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADA8E second address: 9ADA94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADA94 second address: 9ADAC2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F871CC399F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F871CC399FBh 0x00000015 push esi 0x00000016 jmp 00007F871CC39A01h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF04 second address: 9ADF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF0A second address: 9ADF24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F871CC399F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F871CC399FBh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF24 second address: 9ADF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF2F second address: 9ADF4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF4E second address: 9ADF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF52 second address: 9ADF80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F871CC39A06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF80 second address: 9ADF86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ADF86 second address: 9ADF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE283 second address: 9AE2A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54410h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F871CD54406h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE2A1 second address: 9AE2B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F871CC399F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F871CC399FEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE2B5 second address: 9AE2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007F871CD54408h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE2CB second address: 9AE2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE2CF second address: 9AE302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54414h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F871CD54415h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE302 second address: 9AE306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE43B second address: 9AE459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F871CD5440Dh 0x0000000b pop eax 0x0000000c jo 00007F871CD5440Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE591 second address: 9AE597 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE597 second address: 9AE5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F871CD54406h 0x0000000e jmp 00007F871CD54418h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE70E second address: 9AE714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE714 second address: 9AE718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE718 second address: 9AE71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AE71E second address: 9AE739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F871CD5440Ch 0x0000000c pushad 0x0000000d jbe 00007F871CD54406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 961C02 second address: 961C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CC399FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEE3A second address: 9AEE3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEE3E second address: 9AEE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEE44 second address: 9AEE49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEE49 second address: 9AEE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEE4F second address: 9AEE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9AEE55 second address: 9AEE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F871CC399F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9B2764 second address: 9B2768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9B2768 second address: 9B2772 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F871CC399F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BBC7F second address: 9BBCD6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F871CD54411h 0x0000000c jmp 00007F871CD54411h 0x00000011 jmp 00007F871CD54419h 0x00000016 popad 0x00000017 popad 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F871CD54410h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BBCD6 second address: 9BBCDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BA8B2 second address: 9BA8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jnc 00007F871CD54412h 0x0000000d jng 00007F871CD54406h 0x00000013 jng 00007F871CD54406h 0x00000019 push eax 0x0000001a jnl 00007F871CD54406h 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BA8D7 second address: 9BA8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F871CC399F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BAFCA second address: 9BB013 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F871CD54416h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F871CD5440Eh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F871CD54416h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BB013 second address: 9BB01F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BA5B4 second address: 9BA5C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007F871CD54406h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BA5C6 second address: 9BA5E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F871CC39A04h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BA5E6 second address: 9BA5EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BB2C6 second address: 9BB2CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BB2CC second address: 9BB2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F871CD5440Dh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BB2E1 second address: 9BB2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BB2EF second address: 9BB30D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F871CD54419h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BF396 second address: 9BF39C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BF39C second address: 9BF3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F871CD54411h 0x0000000c jmp 00007F871CD5440Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 981A86 second address: 981A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9820A4 second address: 9820A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9820A8 second address: 9820AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 982242 second address: 982246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 982246 second address: 98224C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98224C second address: 982251 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 982362 second address: 98236B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 98236B second address: 982390 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jng 00007F871CD54412h 0x00000016 jmp 00007F871CD5440Ch 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9824B0 second address: 9824F3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F871CC399F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F871CC39A09h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F871CC39A09h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9824F3 second address: 9824F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9824F8 second address: 982502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F871CC399F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 982D78 second address: 982D91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F871CD5440Eh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 982D91 second address: 961C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 je 00007F871CC39A02h 0x0000000c jnl 00007F871CC399FCh 0x00000012 lea eax, dword ptr [ebp+12486849h] 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F871CC399F8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 or dword ptr [ebp+122D26DCh], edi 0x00000038 and cx, 7C5Eh 0x0000003d push eax 0x0000003e jmp 00007F871CC39A02h 0x00000043 mov dword ptr [esp], eax 0x00000046 mov cx, bx 0x00000049 lea eax, dword ptr [ebp+12486805h] 0x0000004f jnl 00007F871CC399FAh 0x00000055 mov dh, 85h 0x00000057 push eax 0x00000058 jmp 00007F871CC39A08h 0x0000005d mov dword ptr [esp], eax 0x00000060 mov ecx, dword ptr [ebp+122D3B1Dh] 0x00000066 call dword ptr [ebp+122D1BD7h] 0x0000006c push edi 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BF758 second address: 9BF75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BF75C second address: 9BF77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F871CC399FCh 0x0000000e jp 00007F871CC399F6h 0x00000014 pop edi 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BF77D second address: 9BF783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BFC80 second address: 9BFC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9BFF20 second address: 9BFF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C34C8 second address: 9C34D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F871CC399F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C34D9 second address: 9C34DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C34DD second address: 9C34FE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F871CC399F6h 0x00000008 jmp 00007F871CC399FAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F871CC39A06h 0x00000015 push eax 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C308F second address: 9C309B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F871CD54406h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C309B second address: 9C30B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FCh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C30B3 second address: 9C30CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F871CD5440Bh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C30CB second address: 9C30D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 933FCB second address: 933FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 933FE1 second address: 934007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F871CC399F6h 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 js 00007F871CC399F6h 0x00000018 pop edx 0x00000019 jmp 00007F871CC399FAh 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C9C0C second address: 9C9C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C9DA1 second address: 9C9DBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F871CC39A0Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9C9DBB second address: 9C9DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F871CD54406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9CE39B second address: 9CE3A7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F871CC399F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9CD7A7 second address: 9CD7AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D287E second address: 9D2888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F871CC399F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2888 second address: 9D2898 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F871CD5440Eh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2BAC second address: 9D2BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2BB2 second address: 9D2BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2BB6 second address: 9D2BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2D2F second address: 9D2D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2D35 second address: 9D2D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2D3B second address: 9D2D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F871CD5440Eh 0x0000000d pop ebx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2EB9 second address: 9D2EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D2EBD second address: 9D2ED3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F871CD54406h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 982822 second address: 982826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 982826 second address: 982885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007F871CD54413h 0x0000000e pop ecx 0x0000000f nop 0x00000010 jbe 00007F871CD5440Ch 0x00000016 sub dword ptr [ebp+1244FA48h], esi 0x0000001c mov ebx, dword ptr [ebp+12486844h] 0x00000022 jo 00007F871CD5440Ch 0x00000028 mov edx, dword ptr [ebp+122D1A54h] 0x0000002e jp 00007F871CD5440Ch 0x00000034 sub dword ptr [ebp+1244C908h], edx 0x0000003a add eax, ebx 0x0000003c jmp 00007F871CD5440Ah 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 js 00007F871CD54408h 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D3179 second address: 9D317F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D317F second address: 9D3189 instructions: 0x00000000 rdtsc 0x00000002 je 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D3189 second address: 9D31C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F871CC399FFh 0x0000000e jne 00007F871CC399FCh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F871CC39A02h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D3CF1 second address: 9D3CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9D3CF7 second address: 9D3CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DD4A9 second address: 9DD4AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DB8FC second address: 9DB902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DC1E3 second address: 9DC208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F871CD54410h 0x0000000c jmp 00007F871CD5440Bh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DCA94 second address: 9DCAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CC39A01h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jnl 00007F871CC399F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DCAB6 second address: 9DCABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DCABC second address: 9DCAC1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DCDE5 second address: 9DCE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD5440Eh 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F871CD54416h 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DD135 second address: 9DD13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DD13F second address: 9DD14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F871CD54406h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9DD14E second address: 9DD172 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F871CC39A08h 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F871CC399F6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E05A9 second address: 9E05B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F871CD54406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E05B3 second address: 9E05B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E05B7 second address: 9E05ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD5440Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F871CD54417h 0x00000014 jnc 00007F871CD54412h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E05ED second address: 9E05F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F871CC399F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E0A4F second address: 9E0A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD54418h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E103A second address: 9E103E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E103E second address: 9E106A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F871CD5440Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F871CD5440Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E106A second address: 9E106E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E11CC second address: 9E11D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E11D4 second address: 9E11D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E11D9 second address: 9E11DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9E5FD6 second address: 9E5FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EF7FE second address: 9EF804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EDA82 second address: 9EDA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F871CC399F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EDC49 second address: 9EDC6E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F871CD54406h 0x0000000f pop esi 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F871CD5440Fh 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EDC6E second address: 9EDC74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EDF31 second address: 9EDF3E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE068 second address: 9EE06E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE06E second address: 9EE074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE4D4 second address: 9EE4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F871CC399FCh 0x0000000c jno 00007F871CC399F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F871CC399F6h 0x0000001a jmp 00007F871CC39A01h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE7C4 second address: 9EE7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE7C8 second address: 9EE7CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE7CC second address: 9EE7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F871CD54406h 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE7DF second address: 9EE7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE93D second address: 9EE943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9EE943 second address: 9EE967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F871CC39A04h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9ED63B second address: 9ED640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 93C33D second address: 93C343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 93C343 second address: 93C356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F871CD5440Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 93C356 second address: 93C380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jl 00007F871CC39A09h 0x0000000e jmp 00007F871CC39A01h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 jl 00007F871CC399F6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 9F65A0 second address: 9F65B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F871CD5440Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0070D second address: A00718 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F871CC399F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A00718 second address: A00738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnc 00007F871CD54408h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F871CD54406h 0x00000018 jbe 00007F871CD54406h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 92B9C7 second address: 92B9CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 92B9CD second address: 92B9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 92B9D1 second address: 92B9E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FFh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A06E48 second address: A06E6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007F871CD54406h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F871CD54415h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A06E6D second address: A06E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A06E73 second address: A06E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A06E82 second address: A06E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A068EE second address: A06900 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A069F4 second address: A069FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A069FA second address: A06A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F871CD54408h 0x0000000b jmp 00007F871CD5440Fh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A06A26 second address: A06A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A8DA second address: A0A900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD54419h 0x00000009 popad 0x0000000a jc 00007F871CD5440Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A900 second address: A0A904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A904 second address: A0A90C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A90C second address: A0A910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A476 second address: A0A47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A47C second address: A0A4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F871CC39A0Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A5EC second address: A0A603 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54413h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A603 second address: A0A630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F871CC39A02h 0x0000000a jmp 00007F871CC399FCh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A630 second address: A0A636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A636 second address: A0A64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F871CC39A02h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A0A64D second address: A0A65D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F871CD54412h 0x00000008 jbe 00007F871CD54406h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A182B4 second address: A182C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F871CC399FBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A182C5 second address: A182CF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F871CD54412h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A182CF second address: A182D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A1F924 second address: A1F92A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A1F92A second address: A1F930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A1F930 second address: A1F935 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A23F6C second address: A23F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A2452B second address: A2454A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F871CD54419h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A247CA second address: A247D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A247D2 second address: A247D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A2523A second address: A25258 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F871CC39A09h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A25258 second address: A25264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A2919E second address: A291C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F871CC39A00h 0x0000000a jno 00007F871CC399FCh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A291C6 second address: A291CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A28D03 second address: A28D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 js 00007F871CC399FEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A28D14 second address: A28D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A28D18 second address: A28D25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F871CC399F6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A2C39C second address: A2C3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A2C3A0 second address: A2C3AC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F871CC399F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A2C3AC second address: A2C3D1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F871CD5440Ch 0x00000008 jne 00007F871CD54406h 0x0000000e pushad 0x0000000f jmp 00007F871CD54412h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A3B71F second address: A3B725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A3B725 second address: A3B729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A3B729 second address: A3B740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A3DAD4 second address: A3DADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F871CD54406h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A3DADF second address: A3DB2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007F871CC39A04h 0x00000010 jng 00007F871CC399F6h 0x00000016 pop ebx 0x00000017 jmp 00007F871CC39A00h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A3DB2A second address: A3DB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A4FA3F second address: A4FA4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F871CC399F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A4FA4B second address: A4FA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A4FA4F second address: A4FA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A4F5C6 second address: A4F5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CD5440Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A4F5D9 second address: A4F5EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A01h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A678D6 second address: A678EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD54411h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A678EB second address: A678EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A67B5B second address: A67B7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F871CD54418h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A67CC2 second address: A67CD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A00h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A67CD6 second address: A67D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F871CD54417h 0x0000000b jp 00007F871CD5441Bh 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F871CD54413h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A68443 second address: A68466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CC39A07h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A68466 second address: A68481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F871CD54412h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A68481 second address: A684B0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F871CC399F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F871CC39A06h 0x0000000f pushad 0x00000010 jnc 00007F871CC399F6h 0x00000016 ja 00007F871CC399F6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A6876F second address: A6877C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F871CD54406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A6B65F second address: A6B663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A6E97E second address: A6E983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A6E983 second address: A6E998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC399FBh 0x00000009 jnp 00007F871CC399F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A6E538 second address: A6E54E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F871CD54406h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A6E54E second address: A6E552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A70451 second address: A70456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: A70456 second address: A7045C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120E0D second address: 5120E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120E11 second address: 5120E22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120E22 second address: 5120E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F871CD54412h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120E47 second address: 5120E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120E4B second address: 5120E67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120E67 second address: 5120E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 31AA4F26h 0x00000012 mov ebx, 4EDC37B2h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160F93 second address: 5160FC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 7A94h 0x00000007 push edx 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov al, BEh 0x00000010 mov edx, 3C6DB0C4h 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F871CD54413h 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51000CB second address: 51000DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC399FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51000DD second address: 51000E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120BB0 second address: 5120BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushfd 0x00000008 jmp 00007F871CC39A05h 0x0000000d sbb cx, 5FC6h 0x00000012 jmp 00007F871CC39A01h 0x00000017 popfd 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51206FF second address: 5120743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F871CD54414h 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F871CD54411h 0x00000018 push eax 0x00000019 push edx 0x0000001a call 00007F871CD5440Eh 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51205EB second address: 5120673 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F871CC39A08h 0x00000008 and esi, 7C4F5BC8h 0x0000000e jmp 00007F871CC399FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F871CC39A08h 0x0000001c xor ax, 5E28h 0x00000021 jmp 00007F871CC399FBh 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a mov cx, 163Bh 0x0000002e mov ebx, esi 0x00000030 popad 0x00000031 push eax 0x00000032 jmp 00007F871CC399FDh 0x00000037 xchg eax, ebp 0x00000038 jmp 00007F871CC399FEh 0x0000003d mov ebp, esp 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120673 second address: 5120690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51302EC second address: 51302F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51302F2 second address: 51302F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160EB1 second address: 5160F02 instructions: 0x00000000 rdtsc 0x00000002 mov di, DC66h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F871CC39A07h 0x0000000d pushfd 0x0000000e jmp 00007F871CC39A08h 0x00000013 add ch, 00000038h 0x00000016 jmp 00007F871CC399FBh 0x0000001b popfd 0x0000001c pop esi 0x0000001d popad 0x0000001e push esi 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 mov si, 4767h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160F02 second address: 5160F2F instructions: 0x00000000 rdtsc 0x00000002 mov si, F303h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F871CD54418h 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160F2F second address: 5160F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160F33 second address: 5160F39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160F39 second address: 5160F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160F3F second address: 5160F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160F43 second address: 5160F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51403CF second address: 5140440 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F871CD5440Ch 0x00000008 or ecx, 55F78588h 0x0000000e jmp 00007F871CD5440Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F871CD5440Fh 0x0000001f jmp 00007F871CD54413h 0x00000024 popfd 0x00000025 mov edx, ecx 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 jmp 00007F871CD54412h 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F871CD5440Ch 0x00000038 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5140440 second address: 51404D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 81h 0x00000006 popad 0x00000007 mov eax, dword ptr [ebp+08h] 0x0000000a jmp 00007F871CC39A08h 0x0000000f and dword ptr [eax], 00000000h 0x00000012 pushad 0x00000013 call 00007F871CC399FEh 0x00000018 mov ebx, esi 0x0000001a pop ecx 0x0000001b mov dx, 9352h 0x0000001f popad 0x00000020 and dword ptr [eax+04h], 00000000h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F871CC39A02h 0x0000002d adc esi, 74AED168h 0x00000033 jmp 00007F871CC399FBh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F871CC39A08h 0x0000003f and cx, 23C8h 0x00000044 jmp 00007F871CC399FBh 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 512051B second address: 5120538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CD54419h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120538 second address: 51205BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F871CC399FCh 0x00000012 pushfd 0x00000013 jmp 00007F871CC39A02h 0x00000018 sbb eax, 2A023248h 0x0000001e jmp 00007F871CC399FBh 0x00000023 popfd 0x00000024 pop ecx 0x00000025 pushad 0x00000026 mov si, di 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c popad 0x0000002d push eax 0x0000002e jmp 00007F871CC399FEh 0x00000033 xchg eax, ebp 0x00000034 pushad 0x00000035 mov ecx, 58D1A2FDh 0x0000003a push eax 0x0000003b pushad 0x0000003c popad 0x0000003d pop edi 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F871CC39A01h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130EA1 second address: 5130EBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130EBC second address: 5130ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC39A04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130ED4 second address: 5130EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F871CD5440Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F871CD5440Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130EFA second address: 5130F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130F00 second address: 5130F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130F06 second address: 5130F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130F0A second address: 5130F2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F871CD54411h 0x00000012 pop esi 0x00000013 mov ebx, 018B9014h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5130F2F second address: 5130F56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 jmp 00007F871CC39A04h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, bx 0x00000014 movsx ebx, cx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51401E8 second address: 5140203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CD54417h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5140203 second address: 5140207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5140207 second address: 514022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F871CD54412h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ch, CDh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51605B1 second address: 516060B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F871CC399FEh 0x0000000f push eax 0x00000010 jmp 00007F871CC399FBh 0x00000015 xchg eax, ecx 0x00000016 jmp 00007F871CC39A06h 0x0000001b mov eax, dword ptr [777265FCh] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 516060B second address: 516060F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 516060F second address: 5160615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160615 second address: 516064E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 0F01D8E1h 0x00000008 movzx esi, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 jmp 00007F871CD54419h 0x00000015 je 00007F878F29772Eh 0x0000001b pushad 0x0000001c movzx esi, dx 0x0000001f push eax 0x00000020 push edx 0x00000021 mov bx, D74Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 516064E second address: 516072F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F871CC399FBh 0x00000008 and ax, D9EEh 0x0000000d jmp 00007F871CC39A09h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ecx, eax 0x00000018 jmp 00007F871CC399FEh 0x0000001d xor eax, dword ptr [ebp+08h] 0x00000020 pushad 0x00000021 movzx ecx, dx 0x00000024 popad 0x00000025 and ecx, 1Fh 0x00000028 pushad 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F871CC399FCh 0x00000030 adc cx, EBC8h 0x00000035 jmp 00007F871CC399FBh 0x0000003a popfd 0x0000003b popad 0x0000003c pushfd 0x0000003d jmp 00007F871CC39A08h 0x00000042 or ax, EE28h 0x00000047 jmp 00007F871CC399FBh 0x0000004c popfd 0x0000004d popad 0x0000004e ror eax, cl 0x00000050 jmp 00007F871CC39A06h 0x00000055 leave 0x00000056 pushad 0x00000057 mov dx, ax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushfd 0x0000005d jmp 00007F871CC39A08h 0x00000062 xor eax, 233002E8h 0x00000068 jmp 00007F871CC399FBh 0x0000006d popfd 0x0000006e rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 516072F second address: 5160743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 retn 0004h 0x00000008 nop 0x00000009 mov esi, eax 0x0000000b lea eax, dword ptr [ebp-08h] 0x0000000e xor esi, dword ptr [007C2014h] 0x00000014 push eax 0x00000015 push eax 0x00000016 push eax 0x00000017 lea eax, dword ptr [ebp-10h] 0x0000001a push eax 0x0000001b call 00007F8721734B4Dh 0x00000020 push FFFFFFFEh 0x00000022 pushad 0x00000023 movsx edx, si 0x00000026 push eax 0x00000027 push edx 0x00000028 mov ax, 94A9h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160743 second address: 5160762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F871CC39A07h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160762 second address: 516077A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CD54414h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 516077A second address: 5160830 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ret 0x0000000c nop 0x0000000d push eax 0x0000000e call 00007F872161A18Bh 0x00000013 mov edi, edi 0x00000015 jmp 00007F871CC39A06h 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F871CC39A00h 0x00000020 push eax 0x00000021 jmp 00007F871CC399FBh 0x00000026 xchg eax, ebp 0x00000027 jmp 00007F871CC39A06h 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F871CC399FEh 0x00000035 xor cl, FFFFFFF8h 0x00000038 jmp 00007F871CC399FBh 0x0000003d popfd 0x0000003e pushfd 0x0000003f jmp 00007F871CC39A08h 0x00000044 jmp 00007F871CC39A05h 0x00000049 popfd 0x0000004a popad 0x0000004b pop ebp 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f mov esi, edx 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160830 second address: 5160836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5160836 second address: 516083A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110006 second address: 5110029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 movzx esi, di 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F871CD54416h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110029 second address: 5110095 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F871CC39A02h 0x00000008 xor ecx, 5B757A78h 0x0000000e jmp 00007F871CC399FBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ah, EDh 0x00000018 popad 0x00000019 mov dword ptr [esp], ebp 0x0000001c jmp 00007F871CC399FBh 0x00000021 mov ebp, esp 0x00000023 jmp 00007F871CC39A06h 0x00000028 and esp, FFFFFFF8h 0x0000002b jmp 00007F871CC39A00h 0x00000030 xchg eax, ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110095 second address: 5110129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F871CD54415h 0x00000009 or si, C5D6h 0x0000000e jmp 00007F871CD54411h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov dx, F8E0h 0x0000001f jmp 00007F871CD54419h 0x00000024 popad 0x00000025 xchg eax, ecx 0x00000026 jmp 00007F871CD5440Eh 0x0000002b xchg eax, ebx 0x0000002c jmp 00007F871CD54410h 0x00000031 push eax 0x00000032 jmp 00007F871CD5440Bh 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b call 00007F871CD5440Bh 0x00000040 pop eax 0x00000041 pushad 0x00000042 popad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110129 second address: 511015D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F871CC39A07h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 511015D second address: 5110163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110163 second address: 5110167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110167 second address: 51101F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F871CD54416h 0x00000011 push eax 0x00000012 jmp 00007F871CD5440Bh 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 push ecx 0x0000001a push ebx 0x0000001b pop esi 0x0000001c pop ebx 0x0000001d push ecx 0x0000001e mov esi, edi 0x00000020 pop edx 0x00000021 popad 0x00000022 mov esi, dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F871CD54417h 0x0000002e add ecx, 4DDFFFFEh 0x00000034 jmp 00007F871CD54419h 0x00000039 popfd 0x0000003a call 00007F871CD54410h 0x0000003f pop eax 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51101F6 second address: 5110211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC39A07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110211 second address: 5110279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007F871CD5440Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movzx eax, bx 0x00000018 pushfd 0x00000019 jmp 00007F871CD54419h 0x0000001e sbb eax, 178DB656h 0x00000024 jmp 00007F871CD54411h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110279 second address: 5110289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC399FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110289 second address: 511028D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 511028D second address: 5110323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a mov cx, dx 0x0000000d call 00007F871CC39A09h 0x00000012 jmp 00007F871CC39A00h 0x00000017 pop eax 0x00000018 popad 0x00000019 test esi, esi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F871CC39A07h 0x00000022 or cx, 524Eh 0x00000027 jmp 00007F871CC39A09h 0x0000002c popfd 0x0000002d mov edx, eax 0x0000002f popad 0x00000030 je 00007F878F1C7D09h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F871CC39A09h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51006ED second address: 51007A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F871CD5440Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007F871CD54411h 0x00000016 pushfd 0x00000017 jmp 00007F871CD54410h 0x0000001c adc si, C418h 0x00000021 jmp 00007F871CD5440Bh 0x00000026 popfd 0x00000027 pop esi 0x00000028 pushad 0x00000029 mov esi, edx 0x0000002b pushfd 0x0000002c jmp 00007F871CD5440Bh 0x00000031 sbb ax, 08DEh 0x00000036 jmp 00007F871CD54419h 0x0000003b popfd 0x0000003c popad 0x0000003d popad 0x0000003e xchg eax, ebp 0x0000003f jmp 00007F871CD5440Eh 0x00000044 mov ebp, esp 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F871CD54417h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51007A1 second address: 51007C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F871CC39A06h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51007C9 second address: 51007D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51007D8 second address: 5100823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F871CC399FCh 0x00000011 sub eax, 14070F28h 0x00000017 jmp 00007F871CC399FBh 0x0000001c popfd 0x0000001d mov ecx, 21DEEC1Fh 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100823 second address: 5100827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100827 second address: 510082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 510082D second address: 5100833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100833 second address: 510084B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 510084B second address: 5100866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100866 second address: 5100891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 7E3173DEh 0x00000012 mov di, EFEAh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100891 second address: 510093D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54410h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F871CD5440Bh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov dx, ax 0x00000014 pushfd 0x00000015 jmp 00007F871CD54410h 0x0000001a sbb cl, 00000008h 0x0000001d jmp 00007F871CD5440Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov esi, dword ptr [ebp+08h] 0x00000027 jmp 00007F871CD54416h 0x0000002c sub ebx, ebx 0x0000002e pushad 0x0000002f mov ax, dx 0x00000032 mov eax, edx 0x00000034 popad 0x00000035 test esi, esi 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007F871CD5440Bh 0x0000003e and esi, 3F9FB8AEh 0x00000044 jmp 00007F871CD54419h 0x00000049 popfd 0x0000004a push esi 0x0000004b mov di, CFC2h 0x0000004f pop edi 0x00000050 popad 0x00000051 je 00007F878F2E9E65h 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a mov bh, E8h 0x0000005c mov dl, ch 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 510093D second address: 5100956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC39A05h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100956 second address: 510096B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f pushad 0x00000010 mov ah, bh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 510096B second address: 51009B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov ecx, esi 0x00000008 pushad 0x00000009 jmp 00007F871CC399FAh 0x0000000e jmp 00007F871CC39A02h 0x00000013 popad 0x00000014 je 00007F878F1CF408h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F871CC39A07h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51009B0 second address: 51009FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [77726968h], 00000002h 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 mov edx, ecx 0x00000015 popad 0x00000016 jne 00007F878F2E9DE2h 0x0000001c pushad 0x0000001d push esi 0x0000001e pushad 0x0000001f popad 0x00000020 pop ebx 0x00000021 movzx ecx, dx 0x00000024 popad 0x00000025 mov edx, dword ptr [ebp+0Ch] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F871CD54410h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51009FE second address: 5100A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, edi 0x0000000f mov dx, 39B2h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A18 second address: 5100A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CD5440Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A2B second address: 5100A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A2F second address: 5100A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A3E second address: 5100A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A42 second address: 5100A53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A53 second address: 5100A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC39A01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F871CC399FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A78 second address: 5100A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A7E second address: 5100A8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A8D second address: 5100A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A91 second address: 5100A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A95 second address: 5100A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100A9B second address: 5100AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100AA1 second address: 5100AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100B2B second address: 5100B9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F871CC399FFh 0x00000008 mov dx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F871CC39A00h 0x00000016 jmp 00007F871CC39A05h 0x0000001b popfd 0x0000001c jmp 00007F871CC39A00h 0x00000021 popad 0x00000022 pop ebx 0x00000023 jmp 00007F871CC39A00h 0x00000028 mov esp, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F871CC399FAh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100B9E second address: 5100BA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5100BA4 second address: 5100BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CC399FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F871CC39A07h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110CD8 second address: 5110D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushfd 0x00000007 jmp 00007F871CD54415h 0x0000000c adc eax, 7CAAF7E6h 0x00000012 jmp 00007F871CD54411h 0x00000017 popfd 0x00000018 pop esi 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c mov bx, cx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F871CD54416h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D2B second address: 5110D3A instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D3A second address: 5110D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D3E second address: 5110D44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D44 second address: 5110D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F871CD5440Eh 0x00000009 jmp 00007F871CD54415h 0x0000000e popfd 0x0000000f movzx esi, di 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D7A second address: 5110D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D80 second address: 5110D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CD5440Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D8E second address: 5110D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5110D92 second address: 5110DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F871CD5440Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51109EB second address: 51109EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51109EF second address: 51109F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51109F3 second address: 51109F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5190755 second address: 5190759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5190759 second address: 519075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 519075F second address: 519079C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD54414h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F871CD5440Ch 0x00000013 xor ax, 4598h 0x00000018 jmp 00007F871CD5440Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 519079C second address: 5190806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F871CC39A01h 0x0000000c jmp 00007F871CC399FBh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F871CC39A06h 0x0000001b mov ebp, esp 0x0000001d jmp 00007F871CC39A00h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F871CC39A07h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5180893 second address: 51808A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F871CD5440Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51808A2 second address: 51808A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51808A8 second address: 51808AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51808AC second address: 51808C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F871CC399FCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 51808C8 second address: 5180917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 pushfd 0x00000009 jmp 00007F871CD54416h 0x0000000e adc ah, 00000068h 0x00000011 jmp 00007F871CD5440Bh 0x00000016 popfd 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007F871CD54416h 0x0000001f pop ebp 0x00000020 pushad 0x00000021 mov ebx, ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 mov edi, eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5180917 second address: 518091B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5120186 second address: 512018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DRWgoZo325.exe	RDTSC instruction interceptor: First address: 5180B5C second address: 5180B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F871CC39A04h 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Special instruction interceptor: First address: 7CECC0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Special instruction interceptor: First address: 971506 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Special instruction interceptor: First address: 997814 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Special instruction interceptor: First address: 981C21 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Special instruction interceptor: First address: 9F7EE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 44ECC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 5F1506 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 617814 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 601C21 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 677EE7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Special instruction interceptor: First address: 1163703 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Special instruction interceptor: First address: 11E3556 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Special instruction interceptor: First address: 77853D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Special instruction interceptor: First address: 5CC236 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Special instruction interceptor: First address: 7A26FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Special instruction interceptor: First address: 804912 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E1853D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C6C236 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: E426FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Special instruction interceptor: First address: 81CAC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: EA4912 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Special instruction interceptor: First address: 9EBAAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Special instruction interceptor: First address: 81CA00 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Special instruction interceptor: First address: 9CA437 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Special instruction interceptor: First address: A51C0B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Special instruction interceptor: First address: 12BB212 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Special instruction interceptor: First address: 1465816 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Special instruction interceptor: First address: 14EB943 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Special instruction interceptor: First address: 12C2351 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Special instruction interceptor: First address: 12C29B1 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Special instruction interceptor: First address: BA853D instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Special instruction interceptor: First address: 9FC236 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Special instruction interceptor: First address: BD26FC instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Special instruction interceptor: First address: C34912 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Special instruction interceptor: First address: D38B00 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Special instruction interceptor: First address: EE0C80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Special instruction interceptor: First address: EE08CC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Special instruction interceptor: First address: F05DF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Special instruction interceptor: First address: D38AA7 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Memory allocated: 5610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Memory allocated: 56B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Memory allocated: 76B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Memory allocated: 2750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Memory allocated: 4750000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\DRWgoZo325.exe

Code function: 0_2_05180B04 rdtsc

0_2_05180B04

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599887
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599780
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599122
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599014
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598686
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598249
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598027
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597538
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594980
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594838
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594431
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594313
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594200
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594094
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593984
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593865
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593529
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593419
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593312
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593203
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1339	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1227	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1228	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1347	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Window / User API: threadDelayed 367
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1056
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1093
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1060
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1072
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1075
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1017
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Window / User API: threadDelayed 9058
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8927
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Window / User API: threadDelayed 5249
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Window / User API: threadDelayed 4643

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

API coverage: 0.3 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8048	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8048	Thread sleep time: -70035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6004	Thread sleep count: 1339 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6004	Thread sleep time: -2679339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7192	Thread sleep count: 221 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7192	Thread sleep time: -6630000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5752	Thread sleep count: 1227 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5752	Thread sleep time: -2455227s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8004	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6080	Thread sleep count: 1228 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6080	Thread sleep time: -2457228s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6120	Thread sleep count: 1347 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6120	Thread sleep time: -2695347s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 5612	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 5612	Thread sleep time: -92046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 6036	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 6036	Thread sleep time: -92046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 5876	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 5876	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 1472	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 5924	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 5924	Thread sleep time: -94047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 6172	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 6168	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 6168	Thread sleep time: -90045s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4072	Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4072	Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4064	Thread sleep count: 44 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4064	Thread sleep time: -88044s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4016	Thread sleep count: 44 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4016	Thread sleep time: -88044s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 3008	Thread sleep count: 367 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 3008	Thread sleep time: -2202000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4056	Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4056	Thread sleep time: -106053s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 3392	Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 3392	Thread sleep time: -100050s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4332	Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 4332	Thread sleep time: -100050s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 3952	Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 3952	Thread sleep time: -98049s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 5976	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 6680	Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 5460	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 1028	Thread sleep time: -32000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 3444	Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 5452	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 364	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 5140	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe TID: 7020	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 1956	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 1892	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 1844	Thread sleep count: 211 > 30
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 1844	Thread sleep time: -1266000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe TID: 2040	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe TID: 6472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4040	Thread sleep count: 1056 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4040	Thread sleep time: -2113056s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7624	Thread sleep count: 1093 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7624	Thread sleep time: -2187093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2628	Thread sleep count: 1060 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2628	Thread sleep time: -2121060s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1668	Thread sleep count: 1072 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1668	Thread sleep time: -2145072s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2588	Thread sleep count: 1075 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2588	Thread sleep time: -2151075s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6552	Thread sleep count: 222 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6552	Thread sleep time: -6660000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6892	Thread sleep count: 1017 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6892	Thread sleep time: -2035017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 6888	Thread sleep count: 9058 > 30
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599887s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599780s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599122s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -599014s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598686s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598468s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598249s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -598027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -597922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -597538s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -594980s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -594838s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -594431s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -594313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -594200s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -594094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593865s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593529s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593419s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe TID: 4776	Thread sleep time: -593203s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4252	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 5404	Thread sleep time: -62031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 1860	Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 3792	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 8092	Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 636	Thread sleep time: -54027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 4024	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 1820	Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 8096	Thread sleep time: -58029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe TID: 7904	Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 3700	Thread sleep count: 5249 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 3700	Thread sleep time: -5249000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 4684	Thread sleep count: 4643 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 4684	Thread sleep time: -4643000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 7108	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 8180	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 1504	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe TID: 1504	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\DRWgoZo325.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C71C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

9_2_6C71C930

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599887
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599780
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599122
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 599014
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598686
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598249
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 598027
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597922
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597538
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594980
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594838
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594431
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594313
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594200
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 594094
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593984
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593865
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593750
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593640
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593529
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593419
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593312
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Thread delayed: delay time: 593203
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior

Source: axplong.exe, axplong.exe, 00000003.00000002.1382756961.00000000005D0000.00000040.00000001.01000000.00000007.sdmp, 32ff2fbd90.exe, 00000009.00000002.2641800053.000000000113C000.00000040.00000001.01000000.00000009.sdmp, d1e123248e.exe, 0000000A.00000002.2173992097.0000000000759000.00000040.00000001.01000000.0000000A.sdmp, d1e123248e.exe, 0000000A.00000000.2086171635.0000000000759000.00000080.00000001.01000000.0000000A.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2754917619.000000000113C000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, 0000000C.00000002.2219173223.0000000000DF9000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000C.00000000.2116090192.0000000000DF9000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000E.00000002.2217013831.0000000000DF9000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000E.00000000.2116504387.0000000000DF9000.00000080.00000001.01000000.0000000B.sdmp, daf7989e83.exe, 00000011.00000002.2971134573.000000000099F000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.0000000001907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: Set-up.exe, 0000001B.00000003.2373447129.0000000001897000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}cabb9cae344b87de317ca6da8\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: DRWgoZo325.exe, 00000000.00000003.1307227387.000000000134D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
Source: DRWgoZo325.exe, 00000000.00000003.1307227387.000000000134D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2757686221.0000000001907000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2427990453.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000002.2979240394.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2296574547.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 7d4f3b6a88.exe, 00000019.00000002.2374370764.0000000000BE2000.00000040.00000001.01000000.0000000F.sdmp, 7d4f3b6a88.exe, 00000019.00000003.2330550240.00000000053C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: 7d4f3b6a88.exe, 00000019.00000002.2373192286.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\xK
Source: Set-up.exe, 0000001B.00000003.2372989385.0000000001A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld":
Source: Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000725000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX[u%SystemRoot%\system32\mswsock.dll
Source: 7d4f3b6a88.exe, 00000019.00000002.2374370764.0000000000BE2000.00000040.00000001.01000000.0000000F.sdmp, 7d4f3b6a88.exe, 00000019.00000003.2330550240.00000000053C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <Module>ladddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladddadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksiujwdkvbji0.resources
Source: daf7989e83.exe, 00000011.00000002.2979240394.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware"
Source: daf7989e83.exe, 00000011.00000003.2427990453.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000002.2979240394.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2296574547.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2323232353.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2511550898.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWUS
Source: skotes.exe, 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: d1e123248e.exe, 0000000A.00000003.2118433313.00000000004C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: DRWgoZo325.exe, 00000000.00000003.1307227387.000000000134D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: DRWgoZo325.exe, 00000000.00000002.1336667075.0000000001339000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\N
Source: 32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: skotes.exe, 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: DRWgoZo325.exe, 00000000.00000002.1334754180.0000000000950000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.1365603096.00000000005D0000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.1382756961.00000000005D0000.00000040.00000001.01000000.00000007.sdmp, 32ff2fbd90.exe, 00000009.00000002.2641800053.000000000113C000.00000040.00000001.01000000.00000009.sdmp, d1e123248e.exe, 0000000A.00000002.2173992097.0000000000759000.00000040.00000001.01000000.0000000A.sdmp, d1e123248e.exe, 0000000A.00000000.2086171635.0000000000759000.00000080.00000001.01000000.0000000A.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2754917619.000000000113C000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, 0000000C.00000002.2219173223.0000000000DF9000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000C.00000000.2116090192.0000000000DF9000.00000080.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000E.00000002.2217013831.0000000000DF9000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000E.00000000.2116504387.0000000000DF9000.00000080.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\DRWgoZo325.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\DRWgoZo325.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	System information queried: CodeIntegrityInformation
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: SIWVID

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe

System information queried: KernelDebuggerInformation

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DRWgoZo325.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Process queried: DebugPort
Source: C:\Users\user\Documents\CBGCAFIIEC.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\DRWgoZo325.exe

Code function: 0_2_05180B04 rdtsc

0_2_05180B04

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C765FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,

9_2_6C765FF0

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C76C410 LoadLibraryW,GetProcAddress,FreeLibrary,

9_2_6C76C410

Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C73B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6C73B66C
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C73B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_6C73B1F7
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8EAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_6C8EAC62

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 3136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 2080, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto'
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto'

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 252B22A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Memory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1A0C4900000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A90000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000066B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: censeractersj.click

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 252B22A0000
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: AE6D9072D8
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 1A0C4900000
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Memory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 420B2492D8
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: A90000
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 8742D8
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 8751E8
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 875008
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 41F000
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 423000
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 636000
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 637000

Source: C:\Users\user\Desktop\DRWgoZo325.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe "C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe "C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe "C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe "C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\CBGCAFIIEC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe "C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe "C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe "C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Documents\CBGCAFIIEC.exe "C:\Users\user\Documents\CBGCAFIIEC.exe"
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto'
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe"
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C934760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

9_2_6C934760

Source: daf7989e83.exe, 00000011.00000002.2971134573.000000000099F000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: V?Program Manager
Source: d1e123248e.exe, 0000000A.00000002.2184469176.000000000079B000.00000040.00000001.01000000.0000000A.sdmp, d1e123248e.exe, 00000012.00000002.2264679307.000000000079B000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Program Manager
Source: axplong.exe, axplong.exe, 00000003.00000002.1382756961.00000000005D0000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: }SProgram Manager
Source: 32ff2fbd90.exe, 00000009.00000002.2642664390.000000000117F000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: OTCProgram Manager

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C73B341 cpuid

9_2_6C73B341

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023744001\386e64c5e6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023744001\386e64c5e6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023788001\911c5c6170.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023788001\911c5c6170.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023821001\d7f51b03ae.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023821001\d7f51b03ae.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023854001\a577f7b3d2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023854001\a577f7b3d2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Code function: 9_2_6C7035A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,

9_2_6C7035A0

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skotes.exe PID: 7124, type: MEMORYSTR

Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: procmon.exe
Source: 7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: wireshark.exe

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 3.2.axplong.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.skotes.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.CBGCAFIIEC.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.skotes.exe.c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.d1e123248e.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRWgoZo325.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.d1e123248e.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1324892862.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2676025129.0000000000991000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2214362790.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1870097821.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2261811221.0000000000561000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1334609057.0000000000761000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1341539424.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2166710457.0000000000561000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1382490923.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1294178727.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1365524089.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 24.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2754081049.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2682614788.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2638205082.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 3136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 2080, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ea6000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ecc000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1e80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ea6000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ecc000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1e80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 1836, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.json
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV

Source: Yara match	File source: 9.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000003.3741043776.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 1836, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 24.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.32ff2fbd90.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2754081049.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2682614788.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2638205082.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 1836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 3136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 2080, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ea6000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ecc000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1e80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ea6000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1ecc000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.c2ca7fb2d0.exe.1e80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 32ff2fbd90.exe PID: 1836, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8F0C40 sqlite3_bind_zeroblob,	9_2_6C8F0C40
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8F0D60 sqlite3_bind_parameter_name,	9_2_6C8F0D60
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C818EA0 sqlite3_clear_bindings,	9_2_6C818EA0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8F0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	9_2_6C8F0B40
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C816410 bind,WSAGetLastError,	9_2_6C816410
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C8160B0 listen,WSAGetLastError,	9_2_6C8160B0
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C81C030 sqlite3_bind_parameter_count,	9_2_6C81C030
Source: C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	Code function: 9_2_6C81C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	9_2_6C81C050

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	11 Scheduled Task/Job	1 Extra Window Memory Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	111 Registry Run Keys / Startup Folder	312 Process Injection	14 Obfuscated Files or Information	Security Account Manager	248 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	Login Hook	11 Scheduled Task/Job	12 Software Packing	NTDS	11 Query Registry	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	111 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1181 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	571 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	571 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DRWgoZo325.exe	55%	ReversingLabs	Win32.Packed.Themida
DRWgoZo325.exe	47%	Virustotal		Browse
DRWgoZo325.exe	100%	Avira	TR/Crypt.TPM.Gen
DRWgoZo325.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	100%	Avira	HEUR/AGEN.1313526
C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Avira	HEUR/AGEN.1313526
C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[1].exe	58%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe	58%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	55%	ReversingLabs	Win32.Ransomware.StealC
C:\Users\user\AppData\Local\Temp\LummaC2.exe	37%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	58%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	0%	Avira URL Cloud	safe
http://185.215.113.206/68b591d6548ec281/freebl3.dll6	100%	Avira URL Cloud	malware
http://185.156.73.23/ll/key	0%	Avira URL Cloud	safe
http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp4	0%	Avira URL Cloud	safe
http://185.215.113.16/well/random.exea5c	0%	Avira URL Cloud	safe
http://185.215.113.206/c4becf79229cb002.php83m	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.php.3	100%	Avira URL Cloud	malware
http://185.215.113.206/68b591d6548ec281/mozglue.dll2	100%	Avira URL Cloud	malware
http://185.215.113.206I	0%	Avira URL Cloud	safe
http://185.215.113.206/c4becf79229cb002.phpf3	100%	Avira URL Cloud	malware
http://31.41.244.11/files/7756467432/64T69R7.exeX	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100034fd4	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	0%	Avira URL Cloud	safe
http://31.41.244.11/files/7756467432/64T69R7.exe	100%	Avira URL Cloud	phishing
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0Z	0%	Avira URL Cloud	safe
http://crl.microsoft.	0%	Avira URL Cloud	safe
http://185.156.73.23/qC9k	0%	Avira URL Cloud	safe
http://185.215.113.16/luma/random.exeH	0%	Avira URL Cloud	safe
http://185.156.73.23/files/download(	0%	Avira URL Cloud	safe
http://185.215.113.206/68b591d6548ec281/msvcp140.dllb	100%	Avira URL Cloud	malware
http://185.215.113.16/well/ran	0%	Avira URL Cloud	safe
http://185.215.113.206/Rw	100%	Avira URL Cloud	malware
https://crownybusher.click/apiX	0%	Avira URL Cloud	safe
http://31.41.244.11/files/kardanvalov88/random.exeJ	0%	Avira URL Cloud	safe
http://185.215.113.206/c4becf79229cb002.php~3	100%	Avira URL Cloud	malware
https://crownybusher.click/apiF	0%	Avira URL Cloud	safe
http://185.215.113.206/c4becf79229cb002.phpJ0	100%	Avira URL Cloud	malware
censeractersj.click	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	0%	Avira URL Cloud	safe
http://185.156.73.23/	0%	Avira URL Cloud	safe
https://crownybusher.click/api)	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	0%	Avira URL Cloud	safe
http://185.215.113.16/well/random.exe9)	0%	Avira URL Cloud	safe
https://crownybusher.click/api	0%	Avira URL Cloud	safe
http://185.215.113.206/68b591d6548ec281/softokn3.dllq	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
slipperyloo.lat	false		high
https://steamcommunity.com/profiles/76561199809363512	false		high
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
censeractersj.click	true	Avira URL Cloud: safe	unknown
bashfulacid.lat	false		high
wordyfindy.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.156.73.23/ll/key	daf7989e83.exe, 00000011.00000003.2511550898.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2427990453.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2455194108.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 0000001B.00000002.2615199652.0000000001429000.00000004.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp4	daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/c4becf79229cb002.phpf3	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B602000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.206/ws	32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/freebl3.dll6	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.se/docs/hsts.html	Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/mozglue.dll2	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpation	32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/freebl3.dll	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/well/random.exea5c	skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/c4becf79229cb002.php83m	32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.206/c4becf79229cb002.php.3	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B602000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://185.215.113.206/68b591d6548ec281/nss3.dll	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206I	32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/ktiwpptkkmgmawd.exe	skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100034fd4	Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/well/random.exe	skotes.exe, 0000001C.00000003.4976904444.0000000005B2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	32ff2fbd90.exe, 32ff2fbd90.exe, 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php#	32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/7756467432/64T69R7.exe	skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0Z	Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/c4becf79229cb002.php(	32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php/	32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/7756467432/64T69R7.exeX	skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	false		high
http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174	daf7989e83.exe, 00000011.00000003.2626241070.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624545330.000000000596E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624346429.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626928168.0000000005967000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624416185.0000000005660000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625102028.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626169832.0000000005A21000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625475905.0000000005950000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.156.73.23/qC9k	daf7989e83.exe, 00000011.00000003.2511550898.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2427990453.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2296574547.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2455194108.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2323232353.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/c4becf79229cb002.php4	32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp	false		high
http://185.215.113.16/luma/random.exeH	skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://31.41.244.11/files/martin/random.exe	skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoft.	cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.156.73.23/files/download(	daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206Y	32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/msvcp140.dllb	32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.206/Rw	32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/well/ran	skotes.exe, 0000001C.00000003.6135803850.0000000005B2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/ipbefore	7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	false		high
http://crl.micro	skotes.exe, 0000001C.00000003.3105162110.0000000000796000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001C.00000003.3132261114.000000000079A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000001C.00000003.3133168688.000000000079C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g-cleanit.hk	daf7989e83.exe, 00000011.00000003.2626241070.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624545330.000000000596E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624346429.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626928168.0000000005967000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2624416185.0000000005660000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625102028.000000000590E000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2626169832.0000000005A21000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2625475905.0000000005950000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.156.73.23/files/download	daf7989e83.exe, 00000011.00000003.2375145034.000000000594B000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crownybusher.click/apiX	cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.156.73.23/dll/key	daf7989e83.exe, 00000011.00000003.2511550898.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2482595026.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000002.2979240394.00000000055A0000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2427990453.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2296574547.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2455194108.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2323232353.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2401506825.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpS	32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php~3	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B602000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://html4/loose.dtd	7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/kardanvalov88/random.exeJ	skotes.exe, 0000001C.00000003.4978796848.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crownybusher.click/apiF	cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/c4becf79229cb002.phpd	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000738000.00000004.00000020.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpJ0	32ff2fbd90.exe, 00000018.00000002.2681222976.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpk	32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/mine/random.exe	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpl	32ff2fbd90.exe, 0000000B.00000002.2757686221.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206ocal	32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp	32ff2fbd90.exe, 00000009.00000003.2579563110.000000000B860000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.css	7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phps	32ff2fbd90.exe, 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/luma/random.exe	skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpy	32ff2fbd90.exe, 00000009.00000002.2632544448.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	skotes.exe, 0000001C.00000003.6134973595.0000000005B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	Set-up.exe, 0000001B.00000003.2611627373.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2614034614.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2618514425.0000000001ADB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2612457912.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000003.2613521161.0000000001ADA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000002.2615199652.0000000001429000.00000004.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://crownybusher.click/api)	cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp	daf7989e83.exe, 00000011.00000002.2973199382.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi	32ff2fbd90.exe, 00000009.00000002.2667287859.000000000B5F1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/C	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000738000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/mozglue.dll	32ff2fbd90.exe, 00000009.00000002.2632544448.0000000000752000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.156.73.23/	daf7989e83.exe, 00000011.00000003.2349094953.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2375403578.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, daf7989e83.exe, 00000011.00000003.2538254098.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/68b591d6548ec281/softokn3.dllq	32ff2fbd90.exe, 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://.jpg	7d4f3b6a88.exe, 00000019.00000002.2381753960.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001B.00000000.2343300110.000000000142B000.00000002.00000001.01000000.00000012.sdmp	false		high
http://185.215.113.16/well/random.exe9)	skotes.exe, 0000001C.00000003.4978552669.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	32ff2fbd90.exe, 00000009.00000002.2672619169.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 32ff2fbd90.exe, 00000009.00000002.2661645847.0000000005365000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crownybusher.click/api	cnywnayy_638708640251469628.exe, 0000002D.00000003.3530499028.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206ocalMicrosoft	32ff2fbd90.exe, 00000009.00000002.2638205082.0000000000DE4000.00000040.00000001.01000000.00000009.sdmp	false		high
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	skotes.exe, 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.121.15.192	unknown	Spain	207046	REDSERVICIOES	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
172.217.19.238	unknown	United States	15169	GOOGLEUS	false
172.217.19.227	unknown	United States	15169	GOOGLEUS	false
104.21.16.1	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.10.31	unknown	United States	13335	CLOUDFLARENETUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
20.233.83.145	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.22	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.199.111.133	unknown	Netherlands	54113	FASTLYUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.156.73.23	unknown	Russian Federation	48817	RELDAS-NETRU	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
142.250.181.68	unknown	United States	15169	GOOGLEUS	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
173.194.220.84	unknown	United States	15169	GOOGLEUS	false
3.218.7.103	unknown	United States	14618	AMAZON-AESUS	false
142.250.181.42	unknown	United States	15169	GOOGLEUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
104.21.11.101	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.10
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581211
Start date and time:	2024-12-27 08:36:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 19m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	DRWgoZo325.exe renamed because original name is a hash value
Original Sample Name:	f5821e480d16f40d9eca6432956ae44e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@79/53@0/23
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target DRWgoZo325.exe, PID 8004 because it is empty
Execution Graph export aborted for target axplong.exe, PID 1472 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 7312 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
02:38:01	API Interceptor	7247619x Sleep call for process: axplong.exe modified
02:38:32	API Interceptor	1350x Sleep call for process: 32ff2fbd90.exe modified
02:39:02	API Interceptor	4582333x Sleep call for process: skotes.exe modified
02:39:03	API Interceptor	88x Sleep call for process: daf7989e83.exe modified
02:39:51	API Interceptor	1x Sleep call for process: WerFault.exe modified
02:40:20	API Interceptor	36x Sleep call for process: powershell.exe modified
02:40:28	API Interceptor	1179682x Sleep call for process: 64T69R7.exe modified
02:40:34	API Interceptor	200x Sleep call for process: b016a3d9d5.exe modified
02:40:36	API Interceptor	29805x Sleep call for process: cnywnayy_638708640251469628.exe modified
08:37:06	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
08:38:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 32ff2fbd90.exe C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
08:38:25	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
08:38:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run d1e123248e.exe C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe
08:38:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 32ff2fbd90.exe C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
08:38:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run d1e123248e.exe C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe
08:40:34	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe
08:42:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2d0fa0e902.exe C:\Users\user\AppData\Local\Temp\1024063001\2d0fa0e902.exe
08:42:55	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2d0fa0e902.exe C:\Users\user\AppData\Local\Temp\1024063001\2d0fa0e902.exe
08:43:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 924e5ff2a0.exe C:\Users\user\AppData\Local\Temp\1024064001\924e5ff2a0.exe
08:43:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 640832f6b1.exe C:\Users\user\AppData\Local\Temp\1024065001\640832f6b1.exe
08:43:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 001a4fad5e.exe C:\Users\user\AppData\Local\Temp\1024066001\001a4fad5e.exe
08:43:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 924e5ff2a0.exe C:\Users\user\AppData\Local\Temp\1024064001\924e5ff2a0.exe
08:43:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 640832f6b1.exe C:\Users\user\AppData\Local\Temp\1024065001\640832f6b1.exe
08:43:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 001a4fad5e.exe C:\Users\user\AppData\Local\Temp\1024066001\001a4fad5e.exe
08:44:51	Task Scheduler	Run new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
08:45:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sewwsbifrz_638708643372914371.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	ZBbOXn0a3R.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	uLkHEqZ3u3.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
185.121.15.192	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twentytk20ht.top/v1/upload.php
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PH1D3KHmOD.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	7jKx8dPOEs.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	IERiUft8Wi.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	zi042476Iv.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	C8FtVPhuxd.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	U7TAniYFeK.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	6wFwugeLNG.exe	Get hash	malicious	LummaC	Browse	172.67.135.139
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse	172.67.153.243
WHOLESALECONNECTIONSNL	7jKx8dPOEs.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	z3IxCpcpg4.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	GtEVo1eO2p.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	ZBbOXn0a3R.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	9InQHaM8hT.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
REDSERVICIOES	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	glpEv3POe7.exe	Get hash	malicious	Stealc, Vidar	Browse
	gYjK72gL17.exe	Get hash	malicious	Stealc, Vidar	Browse
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse
	1lhZVZx5nD.exe	Get hash	malicious	Stealc, Vidar	Browse
	Qsqi9KQXgy.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	uLkHEqZ3u3.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\DBKKFCBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECAFHIIJJECGDHIEGDAK

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GDBFHDHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1368932887859682
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
MD5:	9A534FD57BED1D3E9815232E05CCF696
SHA1:	916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
SHA-256:	7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
SHA-512:	ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JEHIJJKEGHJJKECBKECF

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: i8Vwc7iOaG.exe, Detection: malicious, Browse Filename: glpEv3POe7.exe, Detection: malicious, Browse Filename: gYjK72gL17.exe, Detection: malicious, Browse Filename: iUKUR1nUyD.exe, Detection: malicious, Browse Filename: cMTqzvmx9u.exe, Detection: malicious, Browse Filename: ElmEHL9kP9.exe, Detection: malicious, Browse Filename: xlSzrIs5h6.exe, Detection: malicious, Browse Filename: 1lhZVZx5nD.exe, Detection: malicious, Browse Filename: Qsqi9KQXgy.exe, Detection: malicious, Browse Filename: uLkHEqZ3u3.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7d4f3b6a88.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5a2ef6b4-dd31-4039-a82c-eaef0c5bf1e1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091553936701483
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kozUXqgfb/1tXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynd5t3FqfyW0e6kaoZ
MD5:	F5D4C985B861189D95478077CADBDE10
SHA1:	3CACFCDCB9A385284720682C1425BA14075657ED
SHA-256:	5CBC398436A1C3563FB39F555E5BCDB73B9D675AB7174C9E0E36F6320DBE4541
SHA-512:	D5A8599ACB1FE229615E190C66BCA2CADF2A2F59834F0CF150056BCE0CBC0D588E6FAF3E00752C334BE68C04A1E07634E6D2D24481C3B3842EA5AD329C4CC513
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\6d1cf1c2-ea3e-40b2-96e4-ee6fb4380eae.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44492
Entropy (8bit):	6.096652177413329
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4ktYUXqgfbRDj8Oc2O9VtPpUQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynNdDQpH6qfyW0e6kaoZ
MD5:	4F8A697BF954954199ED2B9B4566424D
SHA1:	1BD52E6E54F7C08B824B7C937E3A73ACC3B44B9E
SHA-256:	FDA626FA8E389F23BFB305ED98C13B9ACADBB7BFDC732460764B01BCE7E47B58
SHA-512:	6A3B0EE0B74081493F09E0571DC7F5B56356365BADA57BD1E2F85AD2FAD8A479D049C8EF438F9DA3935678189FE319466C65F57B9DF373F580B10A50B32A6F1D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\6de0962a-29e2-4472-a545-287859ec2bf5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44492
Entropy (8bit):	6.096652177413329
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4ktYUXqgfbRDj8Oc2O9VtPpUQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynNdDQpH6qfyW0e6kaoZ
MD5:	4F8A697BF954954199ED2B9B4566424D
SHA1:	1BD52E6E54F7C08B824B7C937E3A73ACC3B44B9E
SHA-256:	FDA626FA8E389F23BFB305ED98C13B9ACADBB7BFDC732460764B01BCE7E47B58
SHA-512:	6A3B0EE0B74081493F09E0571DC7F5B56356365BADA57BD1E2F85AD2FAD8A479D049C8EF438F9DA3935678189FE319466C65F57B9DF373F580B10A50B32A6F1D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676E597E-134C.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04726266732041462
Encrypted:	false
SSDEEP:	192:JCjlh0pqtmInOAHZYXJPi6VBK/7+HfgHXH1IlKMEYTwgh81MNH+zRQcD/O3HRJns:Yh0ctvsd4QrphHgVfKxJ08T2RGOD
MD5:	780EE362A1061BD167A2168BE669B17C
SHA1:	C77F9E5A05B43C4C4FFD1AD05231C09AC694D896
SHA-256:	52A2B262E86C3DA209082A1B67FDC11D272DBB19B58B007B3CE1481CC08170BC
SHA-512:	986C49A9561CF0A84CCE9DE3F1940AD5B5757139B559D164EFC290C9EA076D09788CF1007B58D9BCD8FC49CCCA435A7E0D93656B5FDD52C7E4E1A8DA0D06A435
Malicious:	false
Preview:	...@..@...@.....C.].....@...............xj..0Z..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".oxvntd20,1(.0..8..B.......2.:.M....U....e...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............2..................8...w..U..G...W6.>.........."....."...24.."."GTJZX6ysgheZqBTPXcKXA+Ak8runmRph4F61XypBFRM=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z........W@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2.......y...... .2..........I..

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-676E597E-60C.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04668991244045967
Encrypted:	false
SSDEEP:	192:slKtF0pqtmInOAH6YuJwA8x5XSggykfhbNNETJImdGRQcgwMABiB0Nn8y08Tcm2D:B/0ctvCQk9hZwulMAUBk08T2RGOD
MD5:	6A99F1774FECD30BAFA0563217B1A206
SHA1:	91A0167563F15942A3ABCBBBBC5FE81554377A81
SHA-256:	ED2B073650A294D94000B421590763FD34F0C4F42B8D5D97FB7A2E31D2262C2D
SHA-512:	2E0503995D186C5C384CDCD4D1BC93FC27E006DB7C31D2D7E40229E75CE21E343B0FC12037CEA4050C27E144E687677C620186A68BC9E6262C909120AB15EC3C
Malicious:	false
Preview:	...@..@...@.....C.].....@................e...U..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".oxvntd20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J...I.r.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............2..................8...w..U?:K...G...W6.>.........."....."...24.."."GTJZX6ysgheZqBTPXcKXA+Ak8runmRph4F61XypBFRM=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z........W@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.186405996455797
Encrypted:	false
SSDEEP:	3:FiWWltlUkzpbazHSAS219jlV/TUqjNlWBVP/Sh/Jzv6cRBAVIGGgphVE7GC/Ollt:o1U6BaYIlWBVsJD6dpPhVeGC/O/
MD5:	0D0C6A5A14BC2141201C32A1F7C87A09
SHA1:	CA25216B59523CCC5DFAFB86D4B4D265A6B1BA53
SHA-256:	78ECB5979E18356057D4F459FD12670B202B19E936991A6CCB9931429F732056
SHA-512:	A75F19DDAF31A241EA098482ECE561FC94A33322365289161BDEE95BC4B6429989B32E15CBE6C150A2254AA1388BAF85746CFA7469137F4FBD03F76F7FAF77FB
Malicious:	false
Preview:	sdPC....................i...\|.@..s..."GTJZX6ysgheZqBTPXcKXA+Ak8runmRph4F61XypBFRM="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................8963f191-f8e0-42ec-8449-d20a8242b3e6............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091553936701483
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kozUXqgfb/1tXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynd5t3FqfyW0e6kaoZ
MD5:	F5D4C985B861189D95478077CADBDE10
SHA1:	3CACFCDCB9A385284720682C1425BA14075657ED
SHA-256:	5CBC398436A1C3563FB39F555E5BCDB73B9D675AB7174C9E0E36F6320DBE4541
SHA-512:	D5A8599ACB1FE229615E190C66BCA2CADF2A2F59834F0CF150056BCE0CBC0D588E6FAF3E00752C334BE68C04A1E07634E6D2D24481C3B3842EA5AD329C4CC513
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF36c67.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091553936701483
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kozUXqgfb/1tXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynd5t3FqfyW0e6kaoZ
MD5:	F5D4C985B861189D95478077CADBDE10
SHA1:	3CACFCDCB9A385284720682C1425BA14075657ED
SHA-256:	5CBC398436A1C3563FB39F555E5BCDB73B9D675AB7174C9E0E36F6320DBE4541
SHA-512:	D5A8599ACB1FE229615E190C66BCA2CADF2A2F59834F0CF150056BCE0CBC0D588E6FAF3E00752C334BE68C04A1E07634E6D2D24481C3B3842EA5AD329C4CC513
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF36c77.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091553936701483
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kozUXqgfb/1tXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynd5t3FqfyW0e6kaoZ
MD5:	F5D4C985B861189D95478077CADBDE10
SHA1:	3CACFCDCB9A385284720682C1425BA14075657ED
SHA-256:	5CBC398436A1C3563FB39F555E5BCDB73B9D675AB7174C9E0E36F6320DBE4541
SHA-512:	D5A8599ACB1FE229615E190C66BCA2CADF2A2F59834F0CF150056BCE0CBC0D588E6FAF3E00752C334BE68C04A1E07634E6D2D24481C3B3842EA5AD329C4CC513
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37909.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091553936701483
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kozUXqgfb/1tXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynd5t3FqfyW0e6kaoZ
MD5:	F5D4C985B861189D95478077CADBDE10
SHA1:	3CACFCDCB9A385284720682C1425BA14075657ED
SHA-256:	5CBC398436A1C3563FB39F555E5BCDB73B9D675AB7174C9E0E36F6320DBE4541
SHA-512:	D5A8599ACB1FE229615E190C66BCA2CADF2A2F59834F0CF150056BCE0CBC0D588E6FAF3E00752C334BE68C04A1E07634E6D2D24481C3B3842EA5AD329C4CC513
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37919.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43978
Entropy (8bit):	6.091553936701483
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kozUXqgfb/1tXLz40PhIUpQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynd5t3FqfyW0e6kaoZ
MD5:	F5D4C985B861189D95478077CADBDE10
SHA1:	3CACFCDCB9A385284720682C1425BA14075657ED
SHA-256:	5CBC398436A1C3563FB39F555E5BCDB73B9D675AB7174C9E0E36F6320DBE4541
SHA-512:	D5A8599ACB1FE229615E190C66BCA2CADF2A2F59834F0CF150056BCE0CBC0D588E6FAF3E00752C334BE68C04A1E07634E6D2D24481C3B3842EA5AD329C4CC513
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\a94096c3-c3cd-49a7-aced-784acbab836c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44453
Entropy (8bit):	6.097240069372723
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPYUXqgfbRDj8A4g5jVBUQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynjdDQU6qfyW0e6kaoZ
MD5:	61AFBE1FCB31B2B58A1C389208852A0E
SHA1:	6D6896FF2BB6F954EF362ADEEEE419330EBDA2CE
SHA-256:	81B39E9238B96CEE12577AEA54D1245115FE6DCFBB51DBBF475FBCEA383DC592
SHA-512:	E6712AB2F15458322E3B242EF53763186A1DFA6695DF5E1D7CEB277B0A8A94A768D91C3C239C918BBD3E88D4A012B1DEC0B90B43E1E58EB90386EF495075C3D0
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\e8143072-efbd-4982-b77c-ca8a882590ad.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44453
Entropy (8bit):	6.097240069372723
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPYUXqgfbRDj8A4g5jVBUQYqGwLWZkHUfG6kCvoZ:z/Ps+wsI7ynjdDQU6qfyW0e6kaoZ
MD5:	61AFBE1FCB31B2B58A1C389208852A0E
SHA1:	6D6896FF2BB6F954EF362ADEEEE419330EBDA2CE
SHA-256:	81B39E9238B96CEE12577AEA54D1245115FE6DCFBB51DBBF475FBCEA383DC592
SHA-512:	E6712AB2F15458322E3B242EF53763186A1DFA6695DF5E1D7CEB277B0A8A94A768D91C3C239C918BBD3E88D4A012B1DEC0B90B43E1E58EB90386EF495075C3D0
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\add[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\fuckingdllENCR[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe
File Type:	data
Category:	dropped
Size (bytes):	97296
Entropy (8bit):	7.9982317718947025
Encrypted:	true
SSDEEP:	1536:A1FazaNKjs9ezO6kGnCRFVjltPjM9Ew1MhiIeJfZCQdOlnq32YTCUZiyAS3tUX9F:k4zaMjVUGCRzbgqw1MoIeJyQ4nyqX9F
MD5:	E6743949BBF24B39B25399CD7C5D3A2E
SHA1:	DBE84C91A9B0ACCD2C1C16D49B48FAEAEC830239
SHA-256:	A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
SHA-512:	3D50396CDF33F5C6522D4C485D96425C0DDB341DB9BD66C43EAE6D8617B26A4D9B4B9A5AEE0457A4F1EC6FAC3CB8208C562A479DCAE024A50143CBFA4E1F15F6
Malicious:	false
Preview:	XM .4Ih..]...t.&.s...v.0{.v.vs'...:.l.h...e.....R....1...r.R+Fk....~.s.....Q.....r.T.b.....~c..[........;...j.@.0.%.....x...v.w.....<ru....Yre;.b6...HQ-...8.B..Q.a...R.:.h&r.......=.;r.k..T.@....l..;#..3!.O..x.}........y'<.GfQ.K.#.L5v..].......d....N{e..@................A\..<.t.u.X.O.n..Z.. .Xb.O<.Z...h~.(.W.f.z.V.4..L...%5.0...H..`s...y.B......(IL5s:aS}X.......M9.J.o....).'..M;n6]...W..n....)...L...._..e.....>....[....RA.........'...6.N..g6....IY.%h.. 3r....^..\.b~y./....h.2......ZLk....u}..V..<.fbD.<!.._2.zo..IE...P..O...u......P.......w#.6N..&l.R}GI...LY...N.yz..j..Hy.'..._.5..Pd9.y..+....6.q...).G.c...L#....5\.M....5U])....U(..~H.m....Y....G1.r.4.B..h........P..]i...M%.............)q......]....~\|..j...b..K!..N.7R.}T.2bsq..1...L^..!.\|q.D'...s.Ln...D@..bn%0=b.Q1.....+l...QXO\|.......NC.d......{.0....8F.....<.W.y..{o..j.3.....n..4.....eS]. K...o.B.H~.sh.1....m8....6{.ls..R..q..~....w._;....X*.#..U....6n.ODbT.+Zc....q....S.$-S`YT....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6138368
Entropy (8bit):	7.980553119646899
Encrypted:	false
SSDEEP:	98304:yqIbh88P/kaZkHqh7l/wmKKj86Z1bsaovSBaDV8uAousbufqHQf38wYjfP8t8S1F:yHbz/P2Ho7lh/TavH80uGuiuLYjfUeA
MD5:	DC4E6DA31928988B7F05F091C680FC07
SHA1:	D8725048536A473EEB33B7708D5C860F6D547E3A
SHA-256:	E52C0A3901EAC00FAE656E3AEDB60E9AAA63C51D83A012D21CEB4DDE555CEE7E
SHA-512:	D508B6540EBE450DC47BD6E5B228E59DBCE8B046E0ADBD48A18FA61EAAEE89C920A957F839F0390813D5CEC235AD7DB3DC40A844284A672D5E7187024B0BF789
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m.............. ...`m...@.. ................................]...@.................................U.m.i....`m.<.....................m..................................................................................... . .@m.. ....C.. ..............@....rsrc...<....`m.......C.............@....idata . ....m.......C.............@... .`)...m.......C.............@...ugefwulq..............C.............@...sehsycct. ............].............@....taggant.@......."....].............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\download[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3273216
Entropy (8bit):	6.6304891753843656
Encrypted:	false
SSDEEP:	49152:dVi6gP774GTTHVhDAI3V7lTLZcfuxhtx91hA8y36gPQjh:dVi/P774GTTHVhUI3VB/muxhtXS36gP
MD5:	142A3931B0023BC4DF9E8F50E142616A
SHA1:	C9E6873D96C4D33201B394B1B4027ED85A55A593
SHA-256:	B828A420B62345944B3DA40233DBBCB624805D98F0E581246943FB7C41A9598B
SHA-512:	728BD8BFBD5D994A376F83E8FD291DDCB668A8EFE7F480650D2D145636D4F6D66D960E214345343D6CD3CCC23565F9DD8F728D342C4C4E55CA344E295ACBBF31
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................2...........@..........................02.......2...@.................................W...k.............................1.............................h.1..................................................... . ............................@....rsrc...............................@....idata ............................@...xcljfhyk.@+......4+.................@...mqunepnm......1.......1.............@....taggant.0....2.."....1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.3768157965453165
Encrypted:	false
SSDEEP:	48:SfNaoQoaTTEQoFfNaoQMQQfNaoQIKARAzQIKA5fNaoQLAX0UrU0U8Q4:6NnQoaTTEQoxNnQMQcNnQAOzQAVNnQ8r
MD5:	1283F9FE76CD63F8238A4E3BF529DF43
SHA1:	9DB1A0373015E945A22547632A19FD8D4289DD94
SHA-256:	E50431B282378A7D8D2FCD66D90E9A3F1B8B9A6344E2D7F1E2B358EE042F98ED
SHA-512:	1F023C2FEE19A945C99D05EE3D09FD9CFA40CD6108C360B376CC41A57647AFE673B35D6281C23F5F8F748677F19EBB779C4FCA56A207156C3D384D274E777EDE
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/5D8CDE250874973504362B7B86803645",.. "id": "5D8CDE250874973504362B7B86803645",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/5D8CDE250874973504362B7B86803645"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/7ACF9DCBA55CFB52F9F841C9DEF3A592",.. "id": "7ACF9DCBA55CFB52F9F841C9DEF3A592",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/7ACF9DCBA55CFB52F9F841C9DEF3A592"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1950208
Entropy (8bit):	7.943051357366484
Encrypted:	false
SSDEEP:	49152:8lcTycRC1oJwzELFLGiKRZBMTV2YGtlNfW59me0hT4:5VC1oezwFLGrZWTVqHub0hk
MD5:	FFE4817D515153EE00B6C2CD538D1FD4
SHA1:	5F036315A1B6EC84E2B8396662937A53AC9CC8EA
SHA-256:	81E323F3B3DC569ABD1F0EDC1DBE3DE032079ABCFEB0B2E813D64040E2DD8237
SHA-512:	67662A602A17050B6052454641767EBF7491909A18F3CD2827E65C58F69C2B52158802560668B12273CEC0EE042542803B0DE5DA422A0966DFB82F585A0549EB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@.......p............@.................................F.......................................[.A.o.....@............................................................................................................ . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..*...A.....................@...viztzmws......k.....................@...cutnkula.....`......................@....taggant.0...p..."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\download[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\key[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.880179922675737
Encrypted:	false
SSDEEP:	3:gFsR0GOWW:gyRhI
MD5:	408E94319D97609B8E768415873D5A14
SHA1:	E1F56DE347505607893A0A1442B6F3659BEF79C4
SHA-256:	E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
SHA-512:	994FA19673C6ADC2CC5EF31C6A5C323406BB351551219EE0EEDA4663EC32DAF2A1D14702472B5CF7B476809B088C85C5BE684916B73046DA0DF72236BC6F5608
Malicious:	false
Preview:	9tKiK3bsYm4fMuK47Pk3s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	967168
Entropy (8bit):	6.696215939813802
Encrypted:	false
SSDEEP:	24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8akvfF:RTvC/MTQYxsWR7ak3
MD5:	AC216AD4963E2CFD1792125A35109CDB
SHA1:	354C13A4F8DB5F33AFB80CA2DB6DFC6C7F65FE58
SHA-256:	F1A01F5CEEA8DFA8D1E2F9B9CDB28A044CE742DA6B736988316EFA7093D6CA68
SHA-512:	29BB23181EBC0F33C9FF7F9162C2AFA185A04CA58B23F525C91F69FDFBC0EC846E67631674359913FCDC5B9BEB403D12A342F40C457358F7937063AFDB9CCB3F
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....Yng..........".................w.............@.......................... .......0....@...@.......@.....................d...\|....@..xW.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...xW...@...X..................@..@.reloc...u.......v...L..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5180416
Entropy (8bit):	5.572219658605412
Encrypted:	false
SSDEEP:	49152:uvrT7xNhLptuSMGCr5rqAQzyaS2bAMNmnF9IAP:OfNbltuSMGI5rq/7XbjNGfIA
MD5:	B0AFC3BE5CA9E3209B844F2CF69F0625
SHA1:	1ED980C5573F8397F73ABC0FE9C59D542763D826
SHA-256:	1ADBF12A222894FEF2869B84725CF2671311CC73246CA7476A6E0807E46B5EC7
SHA-512:	C5980EFCD27A04609F4C370E2ADC2F64288D30542ADE063D57442524B63738833F96C6C860FE5A7C4DEFAE95CCDAAB77C9AFA52D305EAF00ADED3CBC7BC49DEC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........O...........@..........................@O.....FjO...@.................................M.$.a.....$.......................$..................................................................................... . ..$.......$.................@....rsrc.........$.......$.............@....idata ......$.......$.............@...kosvbopd.@...$..@...$.............@...gvemugdt......O.......N.............@....taggant.0....O.."....N.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3273216
Entropy (8bit):	6.6304891753843656
Encrypted:	false
SSDEEP:	49152:dVi6gP774GTTHVhDAI3V7lTLZcfuxhtx91hA8y36gPQjh:dVi/P774GTTHVhUI3VB/muxhtXS36gP
MD5:	142A3931B0023BC4DF9E8F50E142616A
SHA1:	C9E6873D96C4D33201B394B1B4027ED85A55A593
SHA-256:	B828A420B62345944B3DA40233DBBCB624805D98F0E581246943FB7C41A9598B
SHA-512:	728BD8BFBD5D994A376F83E8FD291DDCB668A8EFE7F480650D2D145636D4F6D66D960E214345343D6CD3CCC23565F9DD8F728D342C4C4E55CA344E295ACBBF31
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................2...........@..........................02.......2...@.................................W...k.............................1.............................h.1..................................................... . ............................@....rsrc...............................@....idata ............................@...xcljfhyk.@+......4+.................@...mqunepnm......1.......1.............@....taggant.0....2.."....1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1950208
Entropy (8bit):	7.943051357366484
Encrypted:	false
SSDEEP:	49152:8lcTycRC1oJwzELFLGiKRZBMTV2YGtlNfW59me0hT4:5VC1oezwFLGrZWTVqHub0hk
MD5:	FFE4817D515153EE00B6C2CD538D1FD4
SHA1:	5F036315A1B6EC84E2B8396662937A53AC9CC8EA
SHA-256:	81E323F3B3DC569ABD1F0EDC1DBE3DE032079ABCFEB0B2E813D64040E2DD8237
SHA-512:	67662A602A17050B6052454641767EBF7491909A18F3CD2827E65C58F69C2B52158802560668B12273CEC0EE042542803B0DE5DA422A0966DFB82F585A0549EB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@.......p............@.................................F.......................................[.A.o.....@............................................................................................................ . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... ..*...A.....................@...viztzmws......k.....................@...cutnkula.....`......................@....taggant.0...p..."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6138368
Entropy (8bit):	7.980553119646899
Encrypted:	false
SSDEEP:	98304:yqIbh88P/kaZkHqh7l/wmKKj86Z1bsaovSBaDV8uAousbufqHQf38wYjfP8t8S1F:yHbz/P2Ho7lh/TavH80uGuiuLYjfUeA
MD5:	DC4E6DA31928988B7F05F091C680FC07
SHA1:	D8725048536A473EEB33B7708D5C860F6D547E3A
SHA-256:	E52C0A3901EAC00FAE656E3AEDB60E9AAA63C51D83A012D21CEB4DDE555CEE7E
SHA-512:	D508B6540EBE450DC47BD6E5B228E59DBCE8B046E0ADBD48A18FA61EAAEE89C920A957F839F0390813D5CEC235AD7DB3DC40A844284A672D5E7187024B0BF789
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m.............. ...`m...@.. ................................]...@.................................U.m.i....`m.<.....................m..................................................................................... . .@m.. ....C.. ..............@....rsrc...<....`m.......C.............@....idata . ....m.......C.............@... .`)...m.......C.............@...ugefwulq..............C.............@...sehsycct. ............].............@....taggant.@......."....].............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\DRWgoZo325.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1924096
Entropy (8bit):	7.949591772660484
Encrypted:	false
SSDEEP:	24576:/eJimJdfcVrd13YLNIYOmumHZCsDy0VzPTA0K2pYwdSVjtHj4jJ1wHj5NKeyk:/MZJdf0r/3YWDmTs8hzbIJWj8Xy
MD5:	F5821E480D16F40D9ECA6432956AE44E
SHA1:	6B56E36B29BB7DFA195850C0BB28DBBD65A84714
SHA-256:	9DB2372193E9DD7736163FE1848D3912D985DB145083D67BFF2EAE88D1206237
SHA-512:	4A42A28C9BC6A7C20E862A17AD590AFE3863C5E757C3BA38545A395B291BF9AA555175978D1E0B87823F2FBFC51C18C73B0749E63FCAB6C32003D8BD6343C137
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................K...........@.......................... L.....[.....@.................................W...k.............................K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...rkpvjsjf.@....1..@..................@...moaphpaf......K......6..............@....taggant.0....K.."...:..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\DRWgoZo325.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.860310132420335
Encrypted:	false
SSDEEP:	6144:R5s/zt4HV88/rCatOZFABeDUbLv0uC8r9qMq2E9ND43F+ZnSi4:8rtsVPrNMG9qwENs8ZJ4
MD5:	607000C61FCB5A41B8D511B5ED7625D4
SHA1:	DFAA2BFEA8A51B14AC089BB6A39F037E769169D1
SHA-256:	C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
SHA-512:	64940F02635CCBC2DCD42449C0C435A6A50BD00FA93D6E2E161371CDC766103EF858CCBAAE4497A75576121EA7BC25BA54A9064748F9D6676989A4C9F8B50E58
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...xZig............................ .............@..........................P............@.....................................................................(9...................................................................................text............................... ..`.rdata... ......."..................@..@.data...L....0...P..................@....reloc..(9.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3273216
Entropy (8bit):	6.6304891753843656
Encrypted:	false
SSDEEP:	49152:dVi6gP774GTTHVhDAI3V7lTLZcfuxhtx91hA8y36gPQjh:dVi/P774GTTHVhUI3VB/muxhtXS36gP
MD5:	142A3931B0023BC4DF9E8F50E142616A
SHA1:	C9E6873D96C4D33201B394B1B4027ED85A55A593
SHA-256:	B828A420B62345944B3DA40233DBBCB624805D98F0E581246943FB7C41A9598B
SHA-512:	728BD8BFBD5D994A376F83E8FD291DDCB668A8EFE7F480650D2D145636D4F6D66D960E214345343D6CD3CCC23565F9DD8F728D342C4C4E55CA344E295ACBBF31
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................2...........@..........................02.......2...@.................................W...k.............................1.............................h.1..................................................... . ............................@....rsrc...............................@....idata ............................@...xcljfhyk.@+......4+.................@...mqunepnm......1.......1.............@....taggant.0....2.."....1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 27 06:38:30 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9896140890424694
Encrypted:	false
SSDEEP:	48:8P2bdfoTinuHZidAKZdA1uehwiZUklqehGy+3:8Pso+n3ty
MD5:	6692CE167555520B8CCC3D08A5FC9EE4
SHA1:	4B2C75383E55B5F17857274B798EA873D1B7910A
SHA-256:	010B3E4C87CA234426A129757847774913528DC869777F046173F038827F3B23
SHA-512:	39F3107C56EF2DBD5949020AC375BD3666DA85791D97AF76A6312CE37DF842E9967650061BF4EF83B3E151BE4F07B4B761A58D4196370F4693324065613A3E25
Malicious:	false
Preview:	L..................F.@.. ...$+.,....L.:S2X......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.<....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.<....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.<....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.<...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.<....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........[.[......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 27 06:38:30 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.005267172181053
Encrypted:	false
SSDEEP:	48:8N2bdfoTinuHZidAKZdA1Heh/iZUkAQkqehdy+2:8Nso+nx9Qgy
MD5:	040995EB6E152A8399BEDC16A757A993
SHA1:	12DFDD1C77EC50A015CA3627CD0683C08FF56651
SHA-256:	F58376AE65F677E57F3919FBFCFD9A657C10918E101E6B9B4F09EAB310720C98
SHA-512:	544CF82902479882A96CDE3312396375608E3A1842A77EF2EFEF072CE97673BA8AB5A00A6F6FF9D7306D8010BEE302EA775CF8BC62B21B366134D301688CC90D
Malicious:	false
Preview:	L..................F.@.. ...$+.,....u..S2X......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.<....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.<....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.<....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.<...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.<....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........[.[......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 08:59:33 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.017995631132283
Encrypted:	false
SSDEEP:	48:8F2bdfoTinbHZidAKZdA149eh7sFiZUkmgqeh7sXy+BX:8Fso+nenJy
MD5:	F8FD0FA23F89A1088C986594D5777996
SHA1:	6742BE5595663625FED56B1234FEAF8D88661C51
SHA-256:	1DDD2252EA55D103294D6CCF3BC8B297BF09E8636562D97BDD58267E4F3619DE
SHA-512:	4996009D8ADA984A1E613501AE0F86721954D50E005056F165F095EF17F78220BD46BF69849EC86952357BFC0B27EE050D1CC6672DE6C6CE727679DE99247691
Malicious:	false
Preview:	L..................F.@.. ...$+.,....K..r.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.<....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.<....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.<....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.<...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VEW.L....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........[.[......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 27 06:38:30 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.004079500916928
Encrypted:	false
SSDEEP:	48:8B2bdfoTinuHZidAKZdA14ehDiZUkwqehhy+R:8Bso+nCPy
MD5:	BF12BC6F54FE6E540707AFE9FE9BE51B
SHA1:	2B7221735DB84CC6D7A1AC2E471546C05A1391D7
SHA-256:	AB10DC80C827091880FC17E52D59385E0EE4C5451DA4C840BE4C122D89426831
SHA-512:	DDF3479EDFA261BAB72FCBCC6F6CF62C07C75E5A1EA0940FE204E4FB2AA1BF11944974EE60F92685D51678C381A2CC433B16A8E965EDA0DF65B567FBF2972220
Malicious:	false
Preview:	L..................F.@.. ...$+.,....F.%S2X......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.<....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.<....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.<....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.<...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.<....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........[.[......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 27 06:38:30 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.994029202321531
Encrypted:	false
SSDEEP:	48:8ug2bdfoTinuHZidAKZdA1mehBiZUk1W1qehzy+C:8ugso+ni9Ty
MD5:	B22E6CC0AD433D26D0C026B36161AA6D
SHA1:	6C1E02CF12B0FA3641452FC3C71D2A856BE42C7B
SHA-256:	04A47D7641236F6A93D13A87AF15CD8D465667389E00CDE6005FA59ED022431B
SHA-512:	251A77D87C48935036E7DE3A60B0006133EC0B57C773D0AAD0354B54A76D1AE36593639D017E62B357EBF9DF02B9674A8C1D75FA879D7067F55174CAE6EB7865
Malicious:	false
Preview:	L..................F.@.. ...$+.,......5S2X......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.<....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.<....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.<....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.<...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.<....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........[.[......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 27 06:38:30 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.0063744343271654
Encrypted:	false
SSDEEP:	48:892bdfoTinuHZidAKZdA1duT1ehOuTbbiZUk5OjqehOuTbJy+yT+:89so+npTyTbxWOvTbJy7T
MD5:	4766A1EA9164804DF8D85BA3A80498F1
SHA1:	02F58377EBE1C0BA37B4BB528F8C19A569C591D3
SHA-256:	911130CC59B19419C9D10CE0154A80F6163A7D95382D8E12A3769CD1D954B5A1
SHA-512:	ECAE1470B306F46FA3E30F85AC0282963C9D5BC4C676C20CD9630160BBCC618ABCE8960B33E75569BDFC02BF0A5C455AD5542EAB164C2A6F2BDB74583C476A1D
Malicious:	false
Preview:	L..................F.@.. ...$+.,......S2X......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW$O..PROGRA~1..t......O.I.Y.<....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.<....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.L..Chrome..>......CW.V.Y.<....M......................k..C.h.r.o.m.e.....`.1.....EW.L..APPLIC~1..H......CW.V.Y.<...........................k..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y.<....N.......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........[.[......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\DRWgoZo325.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.449140951042956
Encrypted:	false
SSDEEP:	6:fRh9XflNI7UEZ+lX1lOJUPelkDdtIxW+Za/y0ltpt0:5vfA7Q1lOmeeDwc2a/VXt0
MD5:	C03DF5A70B808FA88FFD1BEF01D3D2CA
SHA1:	3DF344E59096911054C8F6201A2E3C81940BF0B8
SHA-256:	D3076433609C0118C6CCDC1621BBC02F99E90239CEB11A4185F8E3424A4D034B
SHA-512:	DB1D7FBB5CBC8CA0BEEBD386BDA99D90DE36D8BC41AA40E8875312D8DA09F40E5FBD20D6CBC619A1B1F90BAB143267A1552A0CF032F6F2D5638F669772A79852
Malicious:	false
Preview:	....A....B.D.....V.F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........B.R.O.K.-.P.C.\.b.r.o.k...................0.................&.@3P.........................

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe
File Type:	data
Category:	dropped
Size (bytes):	278
Entropy (8bit):	3.4148557155909405
Encrypted:	false
SSDEEP:	6:xeDDbVX37UEZ+lX1CGdKUe6tIxW+Za/y0ltol0ut0:xyR37Q1CGAFFc2a/Vqldt0
MD5:	39ED6D266349BBDFC73CCB20CB987014
SHA1:	F4C670D7A3C3960E0B80DF447AD870FD78C7F4A7
SHA-256:	7CF81440C3790D6C05E551C25F3010BE4F086CC515DE78740F587EDCE782362D
SHA-512:	4AC72743C10AF172D2AF969E4EA0A21589469403EC920C6EE2BCE63B5ECAF219CEA676BFAC0678631DBFE06D71B5124719CF040A65652D78BE6134CC3FB9F258
Malicious:	false
Preview:	....o......I.....".GF.......<... .....s.......... ....................7.C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........B.R.O.K.-.P.C.\.b.r.o.k...................0.................'.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949591772660484
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DRWgoZo325.exe
File size:	1'924'096 bytes
MD5:	f5821e480d16f40d9eca6432956ae44e
SHA1:	6b56e36b29bb7dfa195850c0bb28dbbd65a84714
SHA256:	9db2372193e9dd7736163fe1848d3912d985db145083d67bff2eae88d1206237
SHA512:	4a42a28c9bc6a7c20e862a17ad590afe3863c5e757c3ba38545a395b291bf9aa555175978d1e0b87823f2fbfc51c18c73b0749e63fcab6c32003d8bd6343c137
SSDEEP:	24576:/eJimJdfcVrd13YLNIYOmumHZCsDy0VzPTA0K2pYwdSVjtHj4jJ1wHj5NKeyk:/MZJdf0r/3YWDmTs8hzbIJWj8Xy
TLSH:	679533DC4DB33AFBFADD17B08ADB6B22B4389F31D85450A5B66E10713AA134A8174713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8bf000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F871CC726BAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x4ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4bd9f4	0x10	rkpvjsjf
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4bd9a4	0x18	rkpvjsjf
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	a37af57d32380baa368b9993dae66552	False	0.9971581232970027	data	7.981458864022524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x4ac	0x400	a9298620f679ba2a98ef289f430bd641	False	0.6083984375	data	5.105119154654041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2af000	0x200	aeabe914960be238708c302d69a83e8b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rkpvjsjf	0x31a000	0x1a4000	0x1a4000	549a12d2e8b05fd78d223064731c40c8	False	0.9943318684895833	data	7.954036468400131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
moaphpaf	0x4be000	0x1000	0x400	2c125eb14f6f86c3ba142b31c3d14d00	False	0.83984375	data	6.39587462715274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4bf000	0x3000	0x2200	a6e20002e1610cc813f398da646994f4	False	0.07123161764705882	DOS executable (COM)	0.9290901896680659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4bda04	0x2bb	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.4978540772532189
RT_MANIFEST	0x4bdcbf	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:37:02
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\DRWgoZo325.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DRWgoZo325.exe"
Imagebase:	0x760000
File size:	1'924'096 bytes
MD5 hash:	F5821E480D16F40D9ECA6432956AE44E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1334609057.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1294178727.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:37:05
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x3e0000
File size:	1'924'096 bytes
MD5 hash:	F5821E480D16F40D9ECA6432956AE44E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1324892862.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1365524089.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:37:06
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x3e0000
File size:	1'924'096 bytes
MD5 hash:	F5821E480D16F40D9ECA6432956AE44E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.1341539424.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.1382490923.00000000003E1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:38:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x3e0000
File size:	1'924'096 bytes
MD5 hash:	F5821E480D16F40D9ECA6432956AE44E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.1870097821.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:38:14
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"
Imagebase:	0xd60000
File size:	5'180'416 bytes
MD5 hash:	B0AFC3BE5CA9E3209B844F2CF69F0625
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000009.00000002.2632544448.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2638205082.0000000000E2C000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000009.00000002.2638205082.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:38:22
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe"
Imagebase:	0x560000
File size:	3'273'216 bytes
MD5 hash:	142A3931B0023BC4DF9E8F50E142616A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000A.00000002.2166710457.0000000000561000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:38:25
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"
Imagebase:	0xd60000
File size:	5'180'416 bytes
MD5 hash:	B0AFC3BE5CA9E3209B844F2CF69F0625
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000B.00000002.2757686221.000000000189B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000B.00000002.2754081049.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	02:38:25
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xc00000
File size:	3'273'216 bytes
MD5 hash:	142A3931B0023BC4DF9E8F50E142616A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000C.00000002.2214362790.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
Antivirus matches:	Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:38:25
Start date:	27/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:38:25
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xc00000
File size:	3'273'216 bytes
MD5 hash:	142A3931B0023BC4DF9E8F50E142616A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000002.2209861495.0000000000C01000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:38:27
Start date:	27/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2200,i,14566512888853355500,13257797279014534017,262144 /prefetch:8
Imagebase:	0x7ff6c5c30000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:38:30
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1009136001\daf7989e83.exe"
Imagebase:	0x400000
File size:	1'950'208 bytes
MD5 hash:	FFE4817D515153EE00B6C2CD538D1FD4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.2973140461.0000000000F38000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.2977025015.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	02:38:33
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1009135001\d1e123248e.exe"
Imagebase:	0x560000
File size:	3'273'216 bytes
MD5 hash:	142A3931B0023BC4DF9E8F50E142616A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000002.2261811221.0000000000561000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:38:38
Start date:	27/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:38:38
Start date:	27/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2328,i,6874197867965410317,15651413299758625886,262144 /prefetch:3
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:38:38
Start date:	27/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:38:39
Start date:	27/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2040,i,8703990507698830119,13622165365781825224,262144 /prefetch:3
Imagebase:	0x7ff6a9290000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	02:38:43
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1009134001\32ff2fbd90.exe"
Imagebase:	0xd60000
File size:	5'180'416 bytes
MD5 hash:	B0AFC3BE5CA9E3209B844F2CF69F0625
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000018.00000002.2681222976.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000018.00000002.2682614788.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	02:38:46
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1009137001\7d4f3b6a88.exe"
Imagebase:	0xbe0000
File size:	6'138'368 bytes
MD5 hash:	DC4E6DA31928988B7F05F091C680FC07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	02:38:47
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0xb30000
File size:	299'520 bytes
MD5 hash:	607000C61FCB5A41B8D511B5ED7625D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 37%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	02:38:48
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xf30000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	02:39:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xc00000
File size:	3'273'216 bytes
MD5 hash:	142A3931B0023BC4DF9E8F50E142616A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000001C.00000003.4025498350.0000000005B00000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	02:39:15
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\CBGCAFIIEC.exe"
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	02:39:15
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	02:39:15
Start date:	27/12/2024
Path:	C:\Users\user\Documents\CBGCAFIIEC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Documents\CBGCAFIIEC.exe"
Imagebase:	0x990000
File size:	3'273'216 bytes
MD5 hash:	142A3931B0023BC4DF9E8F50E142616A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000020.00000002.2676025129.0000000000991000.00000040.00000001.01000000.00000015.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	02:39:19
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 500
Imagebase:	0xb20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	02:40:14
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023525001\rsn.exe"
Imagebase:	0xb10000
File size:	36'208'640 bytes
MD5 hash:	80956DBEEA97182A0709F9BC15A4B5D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	02:40:19
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1023609001\64T69R7.exe"
Imagebase:	0x450000
File size:	23'552 bytes
MD5 hash:	2A73FA2FB9F993D5F412716C3369ED0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	02:40:19
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\kpjmxto'
Imagebase:	0x120000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	02:40:19
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	02:40:22
Start date:	27/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	02:40:29
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Local\Temp\1023742001\b016a3d9d5.exe"
Imagebase:
File size:	2'958'336 bytes
MD5 hash:	21707CD3B6DDDC2414D474FB4E867A09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	02:40:33
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe"
Imagebase:
File size:	1'282'048 bytes
MD5 hash:	990EC3DDAD4A74B16A404FBFDD19CEA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000003.3741043776.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	02:40:42
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnywnayy_638708640251469628.exe
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	1'282'048 bytes
MD5 hash:	990EC3DDAD4A74B16A404FBFDD19CEA2
Has elevated privileges:
Has administrator privileges:
Programmed in:	Borland Delphi
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	02:41:13
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1023743001\c2ca7fb2d0.exe
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	22'156'802 bytes
MD5 hash:	6D6BBF1E873FB791141EA7FE2C166DCF
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_vidar_strings_nov23, Description: Finds Vidar samples based on the specific strings, Source: 0000002E.00000002.4120987964.0000000001ECC000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_vidar_strings_nov23, Description: Finds Vidar samples based on the specific strings, Source: 0000002E.00000002.4120987964.0000000001E80000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_vidar_strings_nov23, Description: Finds Vidar samples based on the specific strings, Source: 0000002E.00000002.4120987964.0000000001EA6000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 0000002E.00000002.4120987964.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Has exited:	false

Show Windows behavior

Function 05180B04 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b75aab7e51d4d89e3c03144a5cdd7ba9ed782fd0e81371ce9e3ab8e21f1b9a
Instruction ID: 67c7a0229a8d0c2786549ed92f5a23515570d56798276ac0ea1d0d59699d25b4
Opcode Fuzzy Hash: e1b75aab7e51d4d89e3c03144a5cdd7ba9ed782fd0e81371ce9e3ab8e21f1b9a
Instruction Fuzzy Hash: 10E0B6EE11D02DBD2179E0811AEDDB6191FE3DD77D37B4416B80786581A3988A1E0821

Function 05180BA5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312f19ee186f163f04f3a114b2c0df930b82f0e4abc1e392f0e47a30a2fba2f5
Instruction ID: cc66056bc3150fed344926e95c0c89f633144e282418f5e26f0c277afaaefb29
Opcode Fuzzy Hash: 312f19ee186f163f04f3a114b2c0df930b82f0e4abc1e392f0e47a30a2fba2f5
Instruction Fuzzy Hash: 542105EF14D019BD217AE8551BA89F62B9FF7DF3303328856F457CA502E3940A8E4871

Function 05180BE0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb660bf6038320c801bcb36595891567383faf6406c2926cc5743c89395a32f
Instruction ID: 6a31c1ffca0b1aa54df7b7ed87f6cc88c730390143ff8029d97f1178445722a7
Opcode Fuzzy Hash: 3bb660bf6038320c801bcb36595891567383faf6406c2926cc5743c89395a32f
Instruction Fuzzy Hash: 4C1125BE188209BD527AF99517485F67BDBBBDF330332896AF04786602D3940A8C9931

Function 05180C1F Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126ab78df1a9b5e15d39483253094d55d1113b79758d0d8e25112f7d98bea17a
Instruction ID: 9460561b761d3c27dfc91ed02d7def96feb0d7545053dba561740d2b799e5eb7
Opcode Fuzzy Hash: 126ab78df1a9b5e15d39483253094d55d1113b79758d0d8e25112f7d98bea17a
Instruction Fuzzy Hash: 380108EF18E145BE627AA9445A189F67BAFEBDB3303324956F047D610393A4094C5A31

Function 05180C06 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fce358d61610b69bcbf369fc0c2a12017ac7c0e787a1b66499d38a04988ec2
Instruction ID: 6a576dd41587fab5f3b66de9decd0bf0dc52402b73ee522e4d968cfeeded5bbe
Opcode Fuzzy Hash: a0fce358d61610b69bcbf369fc0c2a12017ac7c0e787a1b66499d38a04988ec2
Instruction Fuzzy Hash: A20124AF189109FD227AF8451B18AF26B9FA7DF3303328963F00BC960293D00A8C5931

Function 05180C15 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ab6c870db5ead61284c6f17214ceca896db35316d926f20f972dc58f6fad90
Instruction ID: 256e1ad50dc305f9559c2f1fde4e276405dd0de8aa1cbe43761ed9ddf81a9c67
Opcode Fuzzy Hash: 85ab6c870db5ead61284c6f17214ceca896db35316d926f20f972dc58f6fad90
Instruction Fuzzy Hash: FD01DFAF189109BD627AE9442B18AF66B9FA7DB3303328963F417C910293D00A8C5931

Function 05180C5B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d252fb4a42b2bd9b854ef5789f2645d967b3ffb427081d75b51dd88278b953
Instruction ID: e871d9ea691e2000197b6f43110defae13f8209bfad35b64f047e2bc372af218
Opcode Fuzzy Hash: f7d252fb4a42b2bd9b854ef5789f2645d967b3ffb427081d75b51dd88278b953
Instruction Fuzzy Hash: 53F022EF24815AADA176F8452B189F6779BEBDA7303324966F406CA102D3D00A4C5930

Function 05180C74 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238b6e5493fa4ff3f72019b624344f7a87b1888b772a88dd364a638d4e8028eb
Instruction ID: d286b4787f7cf6055213df2849090d006f3708f90efc88884ef0b65686065ff4
Opcode Fuzzy Hash: 238b6e5493fa4ff3f72019b624344f7a87b1888b772a88dd364a638d4e8028eb
Instruction Fuzzy Hash: 16F0E2AF24914AAD217AF44127286F6639AE7EB3313324977F407C610297C00A8C5931

Function 05180C83 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1338024572.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5180000_DRWgoZo325.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcefc0ffc3f21f56a8002d931d04b50d5e0e6f8277b27070ca54c0729b279e5
Instruction ID: 5f7d2d1c5c4d5d8f5617375bfaa06adb3292911e13751ab7a8355f6dec63035b
Opcode Fuzzy Hash: 0bcefc0ffc3f21f56a8002d931d04b50d5e0e6f8277b27070ca54c0729b279e5
Instruction Fuzzy Hash: 2EF0ECAF248146AD6136F44127586F6B76BE7DA3303324577F457C6102D3C40A4D1931

Analysis Process: 32ff2fbd90.exePID: 1836, Parent PID: 7196COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.6%
Total number of Nodes:	108
Total number of Limit Nodes:	12

Executed Functions

Function 6C7035A0 Relevance: 38.8, APIs: 16, Strings: 6, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C78F688,00001000), ref: 6C7035D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C7035E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C7035FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C70363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C70369F
__aulldiv.LIBCMT ref: 6C7036E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C703773
EnterCriticalSection.KERNEL32(6C78F688), ref: 6C70377E
LeaveCriticalSection.KERNEL32(6C78F688), ref: 6C7037BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C7037C4
EnterCriticalSection.KERNEL32(6C78F688), ref: 6C7037CB
LeaveCriticalSection.KERNEL32(6C78F688), ref: 6C703801
__aulldiv.LIBCMT ref: 6C703883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C703902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C703918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C70394C

Strings

GTC, xrefs: 6C703912
QPC, xrefs: 6C7038FC
GenuntelineI, xrefs: 6C703639
MOZ_TIMESTAMP_MODE, xrefs: 6C7035DB
K|/, xrefs: 6C7035AC
AuthcAMDenti, xrefs: 6C703946

Memory Dump Source

Source File: 00000009.00000002.2672879136.000000006C701000.00000020.00000001.01000000.00000014.sdmp, Offset: 6C700000, based on PE: true

Associated: 00000009.00000002.2672818612.000000006C700000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673350553.000000006C78E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673413896.000000006C792000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c700000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$K|/$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3097426904
Opcode ID: 9c9e468a775ce7abf94e68e8e2a370993c76de54eb21b6b715cc555c73507b56
Instruction ID: b03a50315068f7a1ba06a51f5604eee8b31e07af030150541ee9c1154c0f8a11
Opcode Fuzzy Hash: 9c9e468a775ce7abf94e68e8e2a370993c76de54eb21b6b715cc555c73507b56
Instruction Fuzzy Hash: 26B1C5B5B063109FDB08DF29C944A1A7BF5BB8B714F248A3EE699D3750D770A9008B91

Function 6C71C930 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 6C71C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C71C969
GetSystemInfo.KERNEL32(?), ref: 6C71C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C71C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C71C9E2

Strings

K|/, xrefs: 6C71C939

Memory Dump Source

Source File: 00000009.00000002.2672879136.000000006C701000.00000020.00000001.01000000.00000014.sdmp, Offset: 6C700000, based on PE: true

Associated: 00000009.00000002.2672818612.000000006C700000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673350553.000000006C78E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673413896.000000006C792000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c700000_32ff2fbd90.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID: K|/
API String ID: 4191843772-382830970
Opcode ID: cfb6290bb4214bccca91aa970ae815fdccca13120a153e41232d2cf1641697e6
Instruction ID: 4f98c58d22f0e887c9613eea12e95a6e3bdd0fe2d70cde295fb2efa76d4d8d46
Opcode Fuzzy Hash: cfb6290bb4214bccca91aa970ae815fdccca13120a153e41232d2cf1641697e6
Instruction Fuzzy Hash: 21212F317462146BDB045B64CD89BAE77B9EB47741F740139FA0797E40D770AC0487A1

Function 6C703060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C703095

Part of subcall function 6C7035A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C78F688,00001000), ref: 6C7035D5
Part of subcall function 6C7035A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C7035E0
Part of subcall function 6C7035A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C7035FD
Part of subcall function 6C7035A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C70363F
Part of subcall function 6C7035A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C70369F
Part of subcall function 6C7035A0: __aulldiv.LIBCMT ref: 6C7036E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C70309F

Part of subcall function 6C725B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C7256EE,?,00000001), ref: 6C725B85
Part of subcall function 6C725B50: EnterCriticalSection.KERNEL32(6C78F688,?,?,?,6C7256EE,?,00000001), ref: 6C725B90
Part of subcall function 6C725B50: LeaveCriticalSection.KERNEL32(6C78F688,?,?,?,6C7256EE,?,00000001), ref: 6C725BD8
Part of subcall function 6C725B50: GetTickCount64.KERNEL32 ref: 6C725BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C7030BE

Part of subcall function 6C7030F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C703127
Part of subcall function 6C7030F0: __aulldiv.LIBCMT ref: 6C703140

Part of subcall function 6C73AB2A: __onexit.LIBCMT ref: 6C73AB30

Strings

K|/, xrefs: 6C70306A

Memory Dump Source

Source File: 00000009.00000002.2672879136.000000006C701000.00000020.00000001.01000000.00000014.sdmp, Offset: 6C700000, based on PE: true

Associated: 00000009.00000002.2672818612.000000006C700000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673231363.000000006C77D000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673350553.000000006C78E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000009.00000002.2673413896.000000006C792000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c700000_32ff2fbd90.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID: K|/
API String ID: 4291168024-382830970
Opcode ID: 484efa3c46bc547305f84b02a3f6bd5504613d460e8b3e24f0fa583eb9b04485
Instruction ID: f54860f5ffba653d2f8f597f5a7788c968a0784aa6597701411bd29716bf48b1
Opcode Fuzzy Hash: 484efa3c46bc547305f84b02a3f6bd5504613d460e8b3e24f0fa583eb9b04485
Instruction Fuzzy Hash: 27F02D52F21B4897CB10EF7489855E67370EF6B214F301739E94857561FB2061D883C2

Non-executed Functions

Function 6C830700 Relevance: 145.2, APIs: 96, Instructions: 1215threadmemorytimeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C830747

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000018), ref: 6C830760

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C83078C

Part of subcall function 6C87FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C878D2D,?,00000000,?), ref: 6C87FB85
Part of subcall function 6C87FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C87FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C949AEC,?), ref: 6C8307A4

Part of subcall function 6C87B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9518D0,?), ref: 6C87B095

PR_SetError.NSS3(FFFFE076,00000000), ref: 6C830932

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_GetCurrentThread.NSS3 ref: 6C8307B0

Part of subcall function 6C8E9BF0: TlsGetValue.KERNEL32(?,?,?,6C930A75), ref: 6C8E9C07

DER_GetInteger_Util.NSS3(-00000004), ref: 6C8307D4
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C83093D
PR_SetError.NSS3(FFFFE09D,00000000), ref: 6C830972
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C949D5C,?), ref: 6C830998
PR_GetCurrentThread.NSS3 ref: 6C8309A8
PR_SetError.NSS3(FFFFE081,00000000), ref: 6C8309C5
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C830A7A
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C949BEC,?), ref: 6C830AC2
PR_GetCurrentThread.NSS3 ref: 6C830AD2
CERT_ImportCerts.NSS3(?,0000000A,?,?,00000000,00000000,00000000,00000000), ref: 6C830B2B
PR_SetError.NSS3(FFFFE081,00000000), ref: 6C830B44
PORT_NewArena_Util.NSS3(00000800), ref: 6C830BAC
SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,6C949D08,?), ref: 6C830BCD
PR_GetCurrentThread.NSS3 ref: 6C830BDD
PR_SetError.NSS3(FFFFE081,00000000), ref: 6C830BFD
PR_SetError.NSS3(FFFFE07F,00000000), ref: 6C830C11
PR_SetError.NSS3(FFFFE073,00000000), ref: 6C830C76
PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6C830CF3
SECITEM_ArenaDupItem_Util.NSS3(00000000,?), ref: 6C830D1B
SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,00000000), ref: 6C830D36
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C830D94
CERT_DestroyCertArray.NSS3(?,00000000), ref: 6C830DC3
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C830DE8
PR_GetCurrentThread.NSS3 ref: 6C830DFD
PR_SetError.NSS3(FFFFE090,00000000), ref: 6C830E22
SECITEM_CompareItem_Util.NSS3(00000047), ref: 6C830E5A
PR_SetError.NSS3(FFFFE07F,00000000), ref: 6C830E6F
CERT_IsCACert.NSS3(00000000,00000000), ref: 6C830E7F
PR_SetError.NSS3(FFFFE090,00000000), ref: 6C830EBC
PR_GetCurrentThread.NSS3 ref: 6C830F2E
PR_GetCurrentThread.NSS3 ref: 6C830F3C
PR_SetError.NSS3(FFFFE09D,00000000), ref: 6C830F51
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C830F5A
PR_GetCurrentThread.NSS3 ref: 6C830F7F
CERT_DestroyCertificate.NSS3 ref: 6C830F95
DER_GeneralizedTimeToTime_Util.NSS3(?,0000009F), ref: 6C830FE8
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C831060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C83107F
SECOID_FindOID_Util.NSS3(?), ref: 6C83108C
SECITEM_CompareItem_Util.NSS3(?,00000000), ref: 6C8310CB
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C8310F9

Part of subcall function 6C82F3F0: SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C82F453
Part of subcall function 6C82F3F0: SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C82F4A5
Part of subcall function 6C82F3F0: SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C82F4EA

SECITEM_CompareItem_Util.NSS3(?,00000000), ref: 6C8310DD
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C83110E
PR_SetError.NSS3(FFFFE07E,00000000), ref: 6C83112A
CERT_DestroyCertificate.NSS3(00000000), ref: 6C831141
CERT_DestroyCertificate.NSS3(00000000), ref: 6C83114E
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C8311B7
SECITEM_CompareItem_Util.NSS3(00000047), ref: 6C831202
PR_SetError.NSS3(FFFFE07F,00000000), ref: 6C83121A
SECOID_FindOID_Util.NSS3(?), ref: 6C831226

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000), ref: 6C831268
PK11_HashBuf.NSS3(?,?,?,?), ref: 6C831285
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C831294
SECITEM_CompareItem_Util.NSS3(00000000,?), ref: 6C8312A7

Part of subcall function 6C87FCB0: memcmp.VCRUNTIME140(?,8B0B74C0,04C6831E,?,00000000,?,6C824101,00000000,?,?,?,6C821666,?,?), ref: 6C87FCF2

SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000), ref: 6C8313D1
PK11_HashBuf.NSS3(?,?,?,?), ref: 6C8313F5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C831408
SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000), ref: 6C83143F
PK11_HashBuf.NSS3(?,?,?,?), ref: 6C83145A
SECITEM_CompareItem_Util.NSS3(00000000,?), ref: 6C831473
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C831480
SECITEM_AllocItem_Util.NSS3(00000000), ref: 6C8314C1
PK11_HashBuf.NSS3(?,?,?,?,?,00000000,00000000), ref: 6C8314DB
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,00000000,00000000), ref: 6C8314EA
CERT_DestroyCertificate.NSS3(00000000), ref: 6C8314F9

Part of subcall function 6C8295B0: TlsGetValue.KERNEL32(00000000,?,6C8400D2,00000000), ref: 6C8295D2
Part of subcall function 6C8295B0: EnterCriticalSection.KERNEL32(?,?,?,6C8400D2,00000000), ref: 6C8295E7
Part of subcall function 6C8295B0: PR_Unlock.NSS3(?,?,?,?,6C8400D2,00000000), ref: 6C829605

SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C831522
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C83153B
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C83155B
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8312B4

Part of subcall function 6C87FAB0: free.MOZGLUE(?,-00000001,?,?,6C81F673,00000000,00000000), ref: 6C87FAC7

CERT_DecodeOidSequence.NSS3(?), ref: 6C8312EB
SECOID_FindOID_Util.NSS3(00000000), ref: 6C831306
PR_SetError.NSS3(FFFFE090,00000000), ref: 6C831331
free.MOZGLUE(?), ref: 6C831346
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C831357
CERT_FindCertIssuer.NSS3(?,?,?,0000000B), ref: 6C83137D
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C831570
PR_Now.NSS3 ref: 6C831588
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C8315D3
PR_Now.NSS3 ref: 6C831623
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C83164F
PR_SetError.NSS3(FFFFE00C,00000000), ref: 6C831662
PR_GetCurrentThread.NSS3 ref: 6C831678

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Item_$Error$Compare$CurrentThread$ArenaZfree$DecodeDestroyHash$Arena_GeneralizedQuickTimeTime_Value$AllocAlloc_CertificateFindK11_$CertEqual_FreeItems$CriticalEnterLookupSectionTableUnlockfree$AllocateArrayCertsConstCopyImportInitInteger_IssuerLockPoolPublicSequencecallocmemcmpmemcpy
String ID:
API String ID: 782668047-0
Opcode ID: 4ee67f299854f0ff843f46498692681a63ce1a606e0f2856d9c83824b56d9302
Instruction ID: 40c427e16de75b3cb2a0d8d2ef3f720a1faba5e2e5d7770b05bd7a0acf284510
Opcode Fuzzy Hash: 4ee67f299854f0ff843f46498692681a63ce1a606e0f2856d9c83824b56d9302
Instruction Fuzzy Hash: F392C071A083519BE720CFA9DE40B5BB7E4AF84708F146D2CE88997B51E731E944CB92

Function 6C836E90 Relevance: 142.5, APIs: 71, Strings: 10, Instructions: 783stringmemoryCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C982120,6C837E60), ref: 6C836EBC
TlsGetValue.KERNEL32 ref: 6C836EDF
EnterCriticalSection.KERNEL32(?), ref: 6C836EF3
PR_WaitCondVar.NSS3(000000FF), ref: 6C836F25

Part of subcall function 6C80A900: TlsGetValue.KERNEL32(00000000,?,6C9814E4,?,6C7A4DD9), ref: 6C80A90F
Part of subcall function 6C80A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C80A94F

PR_Unlock.NSS3 ref: 6C836F68
PORT_ZAlloc_Util.NSS3(00000008), ref: 6C836FA9
TlsGetValue.KERNEL32 ref: 6C8370B4
EnterCriticalSection.KERNEL32(?), ref: 6C8370C8
PR_CallOnce.NSS3(6C9824C0,6C877590), ref: 6C837104
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C837117
SECOID_Init.NSS3 ref: 6C837128
PORT_Alloc_Util.NSS3(00000057), ref: 6C83714E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C83717F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8371A9
PR_NotifyAllCondVar.NSS3 ref: 6C8371CF
PR_Unlock.NSS3 ref: 6C8371DD
free.MOZGLUE(?), ref: 6C8371EE
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C837208
free.MOZGLUE(00000000), ref: 6C837221
free.MOZGLUE(00000001), ref: 6C837235
TlsGetValue.KERNEL32 ref: 6C83724A
EnterCriticalSection.KERNEL32(?), ref: 6C83725E
PR_NotifyCondVar.NSS3 ref: 6C837273
PR_Unlock.NSS3 ref: 6C837281
SECMOD_DestroyModule.NSS3(00000000), ref: 6C837291
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8372B1
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8372D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8372E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C837301
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C837310
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C837335
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C837344
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C837363
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C837372
PR_smprintf.NSS3(name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s",NSS Internal Module,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,6C970148,,defaultModDB,internalKeySlot), ref: 6C8374CC
free.MOZGLUE(00000000), ref: 6C837513
free.MOZGLUE(00000000), ref: 6C83751B
free.MOZGLUE(00000000), ref: 6C837528
free.MOZGLUE(00000000), ref: 6C83753C
free.MOZGLUE(00000000), ref: 6C837550
free.MOZGLUE(00000000), ref: 6C837561
free.MOZGLUE(00000000), ref: 6C837572
free.MOZGLUE(00000000), ref: 6C837583
free.MOZGLUE(00000000), ref: 6C837594
free.MOZGLUE(00000000), ref: 6C8375A2
SECMOD_LoadModule.NSS3(00000000,00000000,00000001), ref: 6C8375BD
free.MOZGLUE(00000000), ref: 6C8375C8
free.MOZGLUE(00000000), ref: 6C8375F1
PR_NewLock.NSS3 ref: 6C837636
SECMOD_DestroyModule.NSS3(00000000), ref: 6C837686
PR_NewLock.NSS3 ref: 6C8376A2

Part of subcall function 6C8E98D0: calloc.MOZGLUE(00000001,00000084,6C810936,00000001,?,6C81102C), ref: 6C8E98E5

PORT_ZAlloc_Util.NSS3(00000050), ref: 6C8376B6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004), ref: 6C837707
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C83771C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C837731
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,rdb:,00000004), ref: 6C83774A
DeleteCriticalSection.KERNEL32(?), ref: 6C837770
free.MOZGLUE(?), ref: 6C837779
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C83779A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8377AC
PORT_Alloc_Util.NSS3(-0000000D), ref: 6C8377C4
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C8377DB
strrchr.VCRUNTIME140(?,0000002F), ref: 6C837821
PORT_Alloc_Util.NSS3(?), ref: 6C837837
memcpy.VCRUNTIME140(00000000,00000000,00000000), ref: 6C83785B
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C83786F
SECMOD_AddNewModuleEx.NSS3 ref: 6C8378AC
free.MOZGLUE(00000000), ref: 6C8378BE
SECMOD_AddNewModuleEx.NSS3 ref: 6C8378F3
free.MOZGLUE(00000000), ref: 6C8378FC
free.MOZGLUE(00000000), ref: 6C83791C

Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB

Strings

dll, xrefs: 6C83788E
extern:, xrefs: 6C83772B
sql:, xrefs: 6C8376FE
kbi., xrefs: 6C837886
NSS Internal Module, xrefs: 6C8374A2, 6C8374C6
name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s", xrefs: 6C8374C7
rdb:, xrefs: 6C837744
Spac, xrefs: 6C837389
dbm:, xrefs: 6C837716
,defaultModDB,internalKeySlot, xrefs: 6C83748D, 6C8374AA

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$strlen$Value$Alloc_ModuleUtil$CriticalSectionstrncmp$CondEnterUnlockcallocmemcpy$CallDestroyErrorLockNotifyOnce$DeleteInitLoadR_smprintfWaitstrrchr
String ID: ,defaultModDB,internalKeySlot$NSS Internal Module$Spac$dbm:$dll$extern:$kbi.$name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s"$rdb:$sql:
API String ID: 3465160547-3797173233
Opcode ID: 10bdbecb4903cec22cb39b4f2e403d1dadce82c0ca695fa7153cd8dc5aa2ceb9
Instruction ID: a17da7559819d5a1f0e774f9fed2dc5b89805f70c890ac92b4b4e0090bc8338e
Opcode Fuzzy Hash: 10bdbecb4903cec22cb39b4f2e403d1dadce82c0ca695fa7153cd8dc5aa2ceb9
Instruction Fuzzy Hash: 1C52F8B1E06225DBEF219FA4CF0579A77B4AF06308F246828ED0DA7A41E731D954CBD1

Function 6C846D90 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 809COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,6C94A8EC,0000006C), ref: 6C846DC6
memcpy.VCRUNTIME140(?,6C94A958,0000006C), ref: 6C846DDB
memcpy.VCRUNTIME140(?,6C94A9C4,00000078), ref: 6C846DF1
memcpy.VCRUNTIME140(?,6C94AA3C,0000006C), ref: 6C846E06
memcpy.VCRUNTIME140(?,6C94AAA8,00000060), ref: 6C846E1C
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C846E38

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PK11_DoesMechanism.NSS3(?,?), ref: 6C846E76
TlsGetValue.KERNEL32 ref: 6C84726F
EnterCriticalSection.KERNEL32(?), ref: 6C847283

Strings

!, xrefs: 6C847123

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memcpy$Value$CriticalDoesEnterErrorK11_MechanismSection
String ID: !
API String ID: 3333340300-2657877971
Opcode ID: a1358bd769ce6b66cbfe637f3195bf86591f5d7da0b4cd89510427c57357801a
Instruction ID: 7d92c0830f33a1bf6cd58796671df70f039608cccafa63189c8bcbe26ff73526
Opcode Fuzzy Hash: a1358bd769ce6b66cbfe637f3195bf86591f5d7da0b4cd89510427c57357801a
Instruction Fuzzy Hash: 8872AF75D05219DFDF20CF28CD88B9ABBB5AF49304F1485A9D80DA7701EB31AA84CF91

Function 6C80E6E0 Relevance: 44.2, APIs: 17, Strings: 8, Instructions: 452stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,6C80DA6A,?,00000000,?,?), ref: 6C80E6FF
sqlite3_initialize.NSS3(?,?,00000000,?,6C80DA6A,?,00000000,?,?), ref: 6C80E76B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(6C80DA6F,///,00000003,?,?,00000000), ref: 6C80E7AC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(6C80DA71,///,00000003), ref: 6C80E7C8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C80E8E8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C80E908
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C80E921
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C80E978
memcmp.VCRUNTIME140(?,?,6C80DA6A), ref: 6C80E991
sqlite3_initialize.NSS3(?,?,00000000,?,6C80DA6A,?,00000000,?,?), ref: 6C80E9FA
memcpy.VCRUNTIME140(?,6C80DA6A,00000000,?,?,00000000), ref: 6C80EA3A
sqlite3_initialize.NSS3(?,?,00000000), ref: 6C80EA55
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C80EABA
sqlite3_mprintf.NSS3(no such %s mode: %s,6C95E039,?), ref: 6C80EB9F
sqlite3_free.NSS3(000000FC,?,?,?,?,00000000), ref: 6C80EBDB
sqlite3_mprintf.NSS3(no such vfs: %s,?,?,?,00000000), ref: 6C80EC1A
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,//localhost/,0000000C), ref: 6C80EC2E

Strings

//localhost/, xrefs: 6C80EC26
no such vfs: %s, xrefs: 6C80EC15
file, xrefs: 6C80E738
cach, xrefs: 6C80E93A
mode, xrefs: 6C80EC58
no such %s mode: %s, xrefs: 6C80EB9A
///, xrefs: 6C80E7A3, 6C80E7C2
%s mode not allowed: %s, xrefs: 6C80ECB7

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: strlen$sqlite3_initializestrncmp$sqlite3_mprintf$memcmpmemcpysqlite3_freestrcmp
String ID: %s mode not allowed: %s$///$//localhost/$cach$file$mode$no such %s mode: %s$no such vfs: %s
API String ID: 3798319595-1352301890
Opcode ID: 4ab10ae0594d4bfbe0ac2b38d00bda29aee9e9c77d86afd50eab42759adb6cc9
Instruction ID: 7550129d2e8efd77df212735735beff92e88890d6a873984755f7d3f22a60faa
Opcode Fuzzy Hash: 4ab10ae0594d4bfbe0ac2b38d00bda29aee9e9c77d86afd50eab42759adb6cc9
Instruction Fuzzy Hash: 92F11471F052298FEB20CF64CE917AFB7B1BF06308F184929D89667A81D735A901C7E1

Function 6C7C8460 Relevance: 43.1, APIs: 23, Strings: 1, Instructions: 1095COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,00000000,00000030), ref: 6C7C84FF
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(377F0682), ref: 6C7C88BB
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(002DE218), ref: 6C7C88CE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7C88E2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(FFFFFFFF), ref: 6C7C88F6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7C894F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7C895F
sqlite3_randomness.NSS3(00000008,?), ref: 6C7C8914

Part of subcall function 6C7B31C0: sqlite3_initialize.NSS3 ref: 6C7B31D6

sqlite3_randomness.NSS3(00000004,?), ref: 6C7C8A13
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7C8A65
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C7C8A6F
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7C8B87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C7C8B94
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(002E5B33), ref: 6C7C8BAD

Strings

cannot limit WAL size: %s, xrefs: 6C7C9188

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: _byteswap_ulong$sqlite3_randomness$memcmpsqlite3_initialize
String ID: cannot limit WAL size: %s
API String ID: 2554290823-3503406041
Opcode ID: b7a914700c28119760d9d6de015d0519c22923abd053ab1dd8cdf370eabc39c2
Instruction ID: dc6c9f8864a6b24043c649f9db584b6844ee26520fb2f9e69f9b01300649af35
Opcode Fuzzy Hash: b7a914700c28119760d9d6de015d0519c22923abd053ab1dd8cdf370eabc39c2
Instruction Fuzzy Hash: 64929D71A083029FD704CF29C980A5AB7F5FF99318F188A2DE99997751E730E945CB82

Function 6C88AC30 Relevance: 39.5, APIs: 26, Instructions: 539memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C88ACC4
PORT_ArenaAlloc_Util.NSS3(?,000040F4), ref: 6C88ACD5
memset.VCRUNTIME140(00000000,00000000,000040F4), ref: 6C88ACF3
SEC_ASN1EncodeInteger_Util.NSS3(?,00000018,00000003), ref: 6C88AD3B
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C88ADC8
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C88ADDF
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C88ADF0

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C88B06A
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C88B08C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C88B1BA
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C88B27C
memset.VCRUNTIME140(?,00000000,00002010), ref: 6C88B2CA
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C88B3C1
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C88B40C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Error$Arena_Free$ArenaItem_memset$Alloc_CopyEncodeInteger_Mark_ValueZfree
String ID:
API String ID: 1285963562-0
Opcode ID: 297ba585df111026e48200c0889b1ab37d6dd3970bf741144e4acb7d29cec296
Instruction ID: 0077d8ed7e2def8ab86e9c76193ef5ab5217dd52f6f6b2f5ecbcf9db89997936
Opcode Fuzzy Hash: 297ba585df111026e48200c0889b1ab37d6dd3970bf741144e4acb7d29cec296
Instruction Fuzzy Hash: 91229171905301AFE720CF14CE45BAA77E1AF8430CF14897CE8585BB92E772E859CB96

Function 6C814420 Relevance: 34.4, APIs: 10, Strings: 9, Instructions: 1186stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C814EE3

Strings

non-deterministic use of %s() in %s, xrefs: 6C814D71, 6C814EA4
weekday , xrefs: 6C8154AB
a CHECK constraint, xrefs: 6C814D62, 6C814D6D, 6C814E95, 6C814EA0
second, xrefs: 6C814BCA
a generated column, xrefs: 6C814D58, 6C814E8B
40f-21a-21d, xrefs: 6C8144D0
-, xrefs: 6C814FBA
start of , xrefs: 6C81517A
an index, xrefs: 6C814D53, 6C814E86

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: strlen
String ID: -$40f-21a-21d$a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s$second$start of $weekday
API String ID: 39653677-183924012
Opcode ID: e626041a6e0c5aec81b328a97ce33c1f525d3812ac0e0015e1e7196dbcf51bfc
Instruction ID: 222f883b2f2a8b813e8cf9eb5b095a8b354395ef553770962696b4f50d13d6ee
Opcode Fuzzy Hash: e626041a6e0c5aec81b328a97ce33c1f525d3812ac0e0015e1e7196dbcf51bfc
Instruction Fuzzy Hash: F7A2223160C7868FD721CF25C2506A6B7E2AFC631CF148A5DE8DA5BE82E735D886C741

Function 6C80ECD0 Relevance: 33.8, APIs: 7, Strings: 12, Instructions: 539COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C80ED38

Part of subcall function 6C7A4F60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7A4FC4

sqlite3_mprintf.NSS3(snippet), ref: 6C80EF3C
sqlite3_mprintf.NSS3(offsets), ref: 6C80EFE4

Part of subcall function 6C8CDFC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C7A5001,?,00000003,00000000), ref: 6C8CDFD7

sqlite3_mprintf.NSS3(matchinfo), ref: 6C80F087
sqlite3_mprintf.NSS3(matchinfo), ref: 6C80F129
sqlite3_mprintf.NSS3(optimize), ref: 6C80F1D1
sqlite3_free.NSS3(?), ref: 6C80F368

Strings

fts4aux, xrefs: 6C80ECF9
offsets, xrefs: 6C80EFAF, 6C80EFDF, 6C80F01F
simple, xrefs: 6C80ED79
fts3, xrefs: 6C80F247
fts3tokenize, xrefs: 6C80F30F
fts4, xrefs: 6C80F2AD
optimize, xrefs: 6C80F199, 6C80F1CC, 6C80F211
matchinfo, xrefs: 6C80F04F, 6C80F082, 6C80F0C2, 6C80F0F2, 6C80F124, 6C80F169
unicode61, xrefs: 6C80EDB5
porter, xrefs: 6C80ED97
fts3_tokenizer, xrefs: 6C80EE1A, 6C80EEA8
snippet, xrefs: 6C80EF05, 6C80EF37, 6C80EF7C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_mprintf$strlen$sqlite3_freesqlite3_initialize
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 2518200370-449611708
Opcode ID: c73edd3f69ff15eb2fca6d21c9c87c8c877c42efbb38c89f1d774369524c267c
Instruction ID: a6c32ef9be57619336f80816590b7b56f955ca05c3ab94a7fc4e5abc99e4cc20
Opcode Fuzzy Hash: c73edd3f69ff15eb2fca6d21c9c87c8c877c42efbb38c89f1d774369524c267c
Instruction Fuzzy Hash: 250212B2B083008BE7149F719E8532B32B5BFD5718F248D3CD85A87B00EB75E8468796

Function 6C84A4D0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 501stringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(6C8228AD,pkcs11:,00000007), ref: 6C84A501
PORT_Strdup_Util.NSS3(6C8228AD), ref: 6C84A514

Part of subcall function 6C880F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C822AF5,?,?,?,?,?,6C820A1B,00000000), ref: 6C880F1A
Part of subcall function 6C880F10: malloc.MOZGLUE(00000001), ref: 6C880F30
Part of subcall function 6C880F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C880F42

strchr.VCRUNTIME140(00000000,0000003A), ref: 6C84A529
PK11_GetInternalKeySlot.NSS3 ref: 6C84A60D
PR_SetError.NSS3(FFFFE041,00000000), ref: 6C84A74B
PR_SetError.NSS3(FFFFE041,00000000), ref: 6C84A777
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C84A80C
memcmp.VCRUNTIME140(?,00000001,00000000), ref: 6C84A82B
CERT_DestroyCertificate.NSS3(00000000), ref: 6C84A952
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C84A9C3

Part of subcall function 6C870960: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,?,6C84A8F5,00000000,?,00000010), ref: 6C87097E
Part of subcall function 6C870960: memcmp.VCRUNTIME140(?,00000000,6C84A8F5,00000010), ref: 6C87098D

free.MOZGLUE(00000000), ref: 6C84AB18
strchr.VCRUNTIME140(?,00000040), ref: 6C84AB40
free.MOZGLUE(?), ref: 6C84ABE1

Part of subcall function 6C844170: TlsGetValue.KERNEL32(?,6C8228AD,00000000,?,6C84A793,?,00000000), ref: 6C84419F
Part of subcall function 6C844170: EnterCriticalSection.KERNEL32(0000001C), ref: 6C8441AF
Part of subcall function 6C844170: PR_Unlock.NSS3(?), ref: 6C8441D4

Strings

token, xrefs: 6C84A875
pkcs11:, xrefs: 6C84A4FB
model, xrefs: 6C84A8CF
manufacturer, xrefs: 6C84A8A2
object, xrefs: 6C84A5CF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: strlen$Errorfreememcmpstrchr$CertificateCriticalDestroyEnterInternalK11_L_strncasecmpSectionSlotStrdup_UnlockUtilValuemallocmemcpy
String ID: manufacturer$model$object$pkcs11:$token
API String ID: 916065474-709816111
Opcode ID: 428a76add20425029800dba8389b4bb6a191a92156543838e9e5c544d6f116e6
Instruction ID: be807979be3adc7e218aa229ed28191f6983421f643f00d102318ff758c0f433
Opcode Fuzzy Hash: 428a76add20425029800dba8389b4bb6a191a92156543838e9e5c544d6f116e6
Instruction Fuzzy Hash: CE0297B5D012289FEF319B649E41BDE7675AF15208F1448B4E80CA6712FB31DE58CFA2

Function 6C86A650 Relevance: 31.8, APIs: 21, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C86A670

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PK11_GetInternalKeySlot.NSS3 ref: 6C86A67E
PK11_Authenticate.NSS3(00000000,00000001,?), ref: 6C86A69B

Part of subcall function 6C849520: PK11_IsLoggedIn.NSS3(00000000,?,6C87379E,?,00000001,?), ref: 6C849542

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C86A6C0
TlsGetValue.KERNEL32 ref: 6C86A703
EnterCriticalSection.KERNEL32(?), ref: 6C86A718
PR_Unlock.NSS3(?), ref: 6C86A78B
PK11_CreateContextBySymKey.NSS3(00000133,00000104,?,00000000), ref: 6C86A7DD
PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C86A7FA
PORT_Alloc_Util.NSS3(00000000), ref: 6C86A818
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C86A82F
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C86A868
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C86A873
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C86A884
PK11_FreeSymKey.NSS3(00000000), ref: 6C86A894
PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C86A8D9
PK11_CipherOp.NSS3(?,00000000,?,00000000,00000000,00000000), ref: 6C86A8F0
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C980B04), ref: 6C86A93F
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C86A952
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C86A961
PK11_DestroyContext.NSS3(?,00000001), ref: 6C86A96E

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$K11_$Item_$Zfree$Arena_Free$Alloc_ArenaContext$AuthenticateBlockCipherCreateCriticalDestroyEncodeEnterInitInternalLockLoggedPoolSectionSizeSlotUnlockValuecallocmemcpy
String ID:
API String ID: 1441238854-0
Opcode ID: a46558bcbdc26a4cfe5b9dad9dc0e3eede87010592079cb3a55949cee49e5a2b
Instruction ID: a9e8c419b156878c2db16cb2124765fd19816ba5a465793146082b2a4dee824a
Opcode Fuzzy Hash: a46558bcbdc26a4cfe5b9dad9dc0e3eede87010592079cb3a55949cee49e5a2b
Instruction Fuzzy Hash: BC91F6B1D012189BEB20DFA9DE45AEEB7B8AF1530CF144835E814ABB41F771D909C7A1

Function 6C84E6E0 Relevance: 30.6, APIs: 20, Instructions: 581memorythreadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C84E8AB
EnterCriticalSection.KERNEL32(?), ref: 6C84E8BF
PORT_Alloc_Util.NSS3(0000000C), ref: 6C84EA30
PK11_Encrypt.NSS3(?,?,?,?,?,?,00000000,?), ref: 6C84EA6A
PORT_Alloc_Util.NSS3(?), ref: 6C84EB0D
memcpy.VCRUNTIME140(00000000,00000000,?), ref: 6C84EB23
memcpy.VCRUNTIME140(?,?), ref: 6C84EB38
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C84EB50
PR_SetError.NSS3(00000000,00000000), ref: 6C84EC0F
PR_Unlock.NSS3(?), ref: 6C84EC68
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C84EC7D
PR_Unlock.NSS3(?), ref: 6C84EC9C
PK11_Decrypt.NSS3(?,?,?,?,?,?,00000000,?), ref: 6C84ECCF
PR_GetCurrentThread.NSS3 ref: 6C84ED02
PK11_Decrypt.NSS3(?,00001087,?,?,?,?,?,?), ref: 6C84ED6F
PK11_Encrypt.NSS3(?,00001087,?,?,?,?,?,?), ref: 6C84EDB7
memcpy.VCRUNTIME140(?,?,?), ref: 6C84EDF6
memcpy.VCRUNTIME140(?,?), ref: 6C84EE12
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C84EE2B

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

free.MOZGLUE(?), ref: 6C84EE43

Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$ErrorK11_memcpy$Alloc_DecryptEncryptUnlockUtilcalloc$CriticalCurrentEnterSectionThreadfree
String ID:
API String ID: 1743700497-0
Opcode ID: aeabf09fd25b7b08e9e88069ed3d4b1f7fa04c8808dd29d42755b4788378bbac
Instruction ID: 41848b5622ee697d1878755c38563a39496c3529313e5615b0f4d35ac3ac595f
Opcode Fuzzy Hash: aeabf09fd25b7b08e9e88069ed3d4b1f7fa04c8808dd29d42755b4788378bbac
Instruction Fuzzy Hash: CA324671A04309DFDB20CF59C980A9AFBE1BF89308F14896DE99997751D331E944CF92

Function 6C812560 Relevance: 30.3, APIs: 10, Strings: 7, Instructions: 533stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7ACA30: EnterCriticalSection.KERNEL32(?,?,?,6C80F9C9,?,6C80F4DA,6C80F9C9,?,?,6C7D369A), ref: 6C7ACA7A
Part of subcall function 6C7ACA30: LeaveCriticalSection.KERNEL32(?), ref: 6C7ACB26

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8125B2
memset.VCRUNTIME140(00000000,00000000,00000079), ref: 6C8125DE
sqlite3_snprintf.NSS3(-0000000F,00000068,%s-shm,?), ref: 6C812604
sqlite3_initialize.NSS3 ref: 6C81269D
sqlite3_uri_parameter.NSS3(?,readonly_shm), ref: 6C8126D6
sqlite3_initialize.NSS3 ref: 6C81289F
EnterCriticalSection.KERNEL32(?), ref: 6C8129CD
LeaveCriticalSection.KERNEL32(?), ref: 6C812A26
sqlite3_free.NSS3(?), ref: 6C812B30

Strings

winShmMap2, xrefs: 6C812BD0
%s-shm, xrefs: 6C8125FD
winOpenShm, xrefs: 6C812B7E
winShmMap3, xrefs: 6C812C08, 6C812C3D
readonly_shm, xrefs: 6C8126CE
winShmMap1, xrefs: 6C812AB0
winFileSize, xrefs: 6C812A7D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_initialize$memsetsqlite3_freesqlite3_snprintfsqlite3_uri_parameterstrlen
String ID: %s-shm$readonly_shm$winFileSize$winOpenShm$winShmMap1$winShmMap2$winShmMap3
API String ID: 3867263885-4021692097
Opcode ID: 64fc6f79105c7d1bbfceca95b54b6999b47555407b0e5f08dd238a012ef64332
Instruction ID: 3fa559a5260957d698cd46800f6e8256c8458fe4d62b815b4c7abb54f0319844
Opcode Fuzzy Hash: 64fc6f79105c7d1bbfceca95b54b6999b47555407b0e5f08dd238a012ef64332
Instruction Fuzzy Hash: 8012DD71A09212DFDB25CF24D948A6A77F5FF8B314F244928E8159BB50EB38EC05CB91

Function 6C7DA7D0 Relevance: 28.2, APIs: 5, Strings: 8, Instructions: 5451COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C7DA973

Strings

too many arguments on %s() - max %d, xrefs: 6C7DEB2D
MULTI-INDEX OR, xrefs: 6C7DD6E6
abbreviated query algorithm search, xrefs: 6C7DB3BF
SCAN CONSTANT ROW, xrefs: 6C7DB01D
gfff, xrefs: 6C7DED41
at most %d tables in a join, xrefs: 6C7DB630
N, xrefs: 6C7DAD0F
INDEX %d, xrefs: 6C7DD786

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memset
String ID: N$INDEX %d$MULTI-INDEX OR$SCAN CONSTANT ROW$abbreviated query algorithm search$at most %d tables in a join$gfff$too many arguments on %s() - max %d
API String ID: 2221118986-452224314
Opcode ID: 32f60327e65f96c442b9e7e569d4bd9fe1f2cebac7a285a5ecfae167b02e22a8
Instruction ID: 97535ff47dedd3d66b847d02de89ec51343a305f47d62aa8503f793b45d3acd1
Opcode Fuzzy Hash: 32f60327e65f96c442b9e7e569d4bd9fe1f2cebac7a285a5ecfae167b02e22a8
Instruction Fuzzy Hash: D8B35A746083418FD315CF19C680B5ABBF2BF89318F168A6DE8998B751D731F846CB92

Function 6C88A730 Relevance: 27.4, APIs: 18, Instructions: 378memorystringCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C88A778

Part of subcall function 6C8814C0: TlsGetValue.KERNEL32 ref: 6C8814E0
Part of subcall function 6C8814C0: EnterCriticalSection.KERNEL32 ref: 6C8814F5
Part of subcall function 6C8814C0: PR_Unlock.NSS3 ref: 6C88150D

Part of subcall function 6C88B990: PORT_NewArena_Util.NSS3(00000800,00000000,?,FFFFFFFF,?,6C88A78B,?), ref: 6C88B9A4
Part of subcall function 6C88B990: PORT_ArenaAlloc_Util.NSS3(00000000,00000014,?), ref: 6C88B9B5
Part of subcall function 6C88B990: PK11_HashBuf.NSS3(00000004,00000000,E4840FC0,89000000,?,?,?), ref: 6C88B9D9
Part of subcall function 6C88B990: PR_SetError.NSS3(FFFFE013,00000000,?,?,?), ref: 6C88B9EC
Part of subcall function 6C88B990: PORT_FreeArena_Util.NSS3(00000000,00000001,?,?,?,?,?), ref: 6C88BA0A

Part of subcall function 6C88A3F0: PORT_ArenaMark_Util.NSS3(?), ref: 6C88A43E
Part of subcall function 6C88A3F0: PORT_ArenaMark_Util.NSS3(FFFFFFFF,?,?,?,?,?,?,00000000,?,-0000001C,?,6C88A7B5,?), ref: 6C88A457
Part of subcall function 6C88A3F0: PORT_ArenaAlloc_Util.NSS3(FFFFFFFF,00000018,?,?,?,?,?,?,?,00000000,?,-0000001C,?,6C88A7B5,?), ref: 6C88A464
Part of subcall function 6C88A3F0: SECOID_FindOIDByTag_Util.NSS3(000000A8,?,?,?,?,?,?,?,?,?,00000000,?,-0000001C,?,6C88A7B5,?), ref: 6C88A48D
Part of subcall function 6C88A3F0: SECITEM_CopyItem_Util.NSS3(FFFFFFFF,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,-0000001C), ref: 6C88A49F
Part of subcall function 6C88A3F0: PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,-0000001C), ref: 6C88A4B2

PORT_ArenaMark_Util.NSS3(?), ref: 6C88A7FC
PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C88A891
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6C88A8AF
PORT_ArenaAlloc_Util.NSS3(?,00000038), ref: 6C88A8C0
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C88A967
PK11_GetInternalKeySlot.NSS3 ref: 6C88A981
PK11_FindKeyByAnyCert.NSS3(00000000,?), ref: 6C88A9A1
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6C88A9DA
PORT_ArenaAlloc_Util.NSS3(?,00000028), ref: 6C88AA04
SECKEY_DestroyEncryptedPrivateKeyInfo.NSS3(?,00000001), ref: 6C88AA45
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C88AA70
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C88AAE3
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C88AB10
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C88AB7D
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C88ABD8
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C88AC0F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Alloc_Error$Arena_K11_Mark_$DestroyFindFreePrivate$Cert$CopyCriticalEncryptedEnterHashInfoInternalItem_SectionSlotTag_UnlockValuestrlen
String ID:
API String ID: 4141365096-0
Opcode ID: 1d79def3e9a14054c8e849d5739749cf2864c463905056e9b11e78375fd7b2ca
Instruction ID: 4ea0c28eb26f53a5c0a5c80a4cf50f2b856bf5f53a6e2e131ff5640f2577be0f
Opcode Fuzzy Hash: 1d79def3e9a14054c8e849d5739749cf2864c463905056e9b11e78375fd7b2ca
Instruction Fuzzy Hash: 10D1E571A06304ABE720CF14DE40BEB77A1AF84748F158938E8588BFD1E735E955CB92

Function 6C81EF40 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 629stringmemoryCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C81EF63

Part of subcall function 6C8287D0: PORT_NewArena_Util.NSS3(00000800,6C81EF74,00000000), ref: 6C8287E8
Part of subcall function 6C8287D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,6C81EF74,00000000), ref: 6C8287FD
Part of subcall function 6C8287D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C82884C

PL_strncasecmp.NSS3(oid.,?,00000004), ref: 6C81F2D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C81F2FC
SEC_StringToOID.NSS3(?,?,?,00000000), ref: 6C81F30F
SECITEM_AllocItem_Util.NSS3(?,00000000,-00000002), ref: 6C81F374
PL_strcasecmp.NSS3(6C962FD4,?), ref: 6C81F457
SECOID_FindOIDByTag_Util.NSS3(00000029), ref: 6C81F4D2
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C81F66E
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C81F67D
CERT_DestroyName.NSS3(?), ref: 6C81F68B

Part of subcall function 6C828320: PORT_ArenaAlloc_Util.NSS3(0000002A,00000018), ref: 6C828338
Part of subcall function 6C828320: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C828364
Part of subcall function 6C828320: PORT_ArenaAlloc_Util.NSS3(0000002A,?), ref: 6C82838E
Part of subcall function 6C828320: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C8283A5
Part of subcall function 6C828320: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8283E3

Part of subcall function 6C8284C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000004,00000000,00000000), ref: 6C8284D9
Part of subcall function 6C8284C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C828528

Part of subcall function 6C828900: PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,?,00000000,?,00000000,?,6C81F599,?,00000000), ref: 6C828955

Strings

", xrefs: 6C81F21B
oid., xrefs: 6C81F2CF
*, xrefs: 6C81F3C6

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Alloc_$ErrorFindItem_Tag_strlen$AllocArena_DestroyGrow_L_strcasecmpL_strncasecmpNameStringZfreememcpy
String ID: "$*$oid.
API String ID: 4161946812-2398207183
Opcode ID: 3334289047142a20290d692d4f0f201d172b5d8ae000236baf59432252f6bd96
Instruction ID: 07562b3a70694a557a0939e5c9165ff2f75c5045e24417db4b8c58d37ceaec53
Opcode Fuzzy Hash: 3334289047142a20290d692d4f0f201d172b5d8ae000236baf59432252f6bd96
Instruction Fuzzy Hash: DB22297160C3528FD734CE18C69076AB7E6ABA5328F184E2EE495C7F91E7319C45C782

Function 6C87A5E0 Relevance: 23.1, APIs: 15, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797efd12e5ddabdc6f7637a104878e02b19649c783269de39d84658cda2fde42
Instruction ID: 68e10d83955d69e7dcb34a6bfa7233837ef54357fef49ef11b5292ede4638e02
Opcode Fuzzy Hash: 797efd12e5ddabdc6f7637a104878e02b19649c783269de39d84658cda2fde42
Instruction Fuzzy Hash: D4124D30D091584FCB358A28CA913ED77F29F4B318F2869E9C5A957A41F235CD85CBB1

Function 6C850570 Relevance: 22.8, APIs: 15, Instructions: 256memoryCOMMON

Download Yara Rule

APIs

PK11_HPKE_Deserialize.NSS3(?,?,?,00000000), ref: 6C8505E3
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C85060C
PK11_HPKE_DestroyContext.NSS3(?,00000000), ref: 6C85061A
PK11_PubDeriveWithKDF.NSS3 ref: 6C850712
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C850740
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C850760
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C8507AE
PK11_FreeSymKey.NSS3(?), ref: 6C8507BC
PK11_FreeSymKey.NSS3(?), ref: 6C8507D1
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C8507DD
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8507EB
SECITEM_ZfreeItem_Util.NSS3(00000001,00000001), ref: 6C8507F8
PK11_CreateContextBySymKey.NSS3(?,82000105,?,?), ref: 6C85082F
memcpy.VCRUNTIME140(?,?,?), ref: 6C8508A9
SECITEM_DupItem_Util.NSS3(?), ref: 6C8508D0

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$Item_Util$ContextDestroyErrorFreeZfreememcpy$AllocCreateDeriveDeserializePublicWith
String ID:
API String ID: 657680294-0
Opcode ID: a45c3cc7e7125ad5e5d00cc3155ced8198b222cf856127cf916b84906dc5149c
Instruction ID: 51bec83a2b859e07284a5aaec62aec0cda7ea91aeda78f59e0d78fdd0f2765b8
Opcode Fuzzy Hash: a45c3cc7e7125ad5e5d00cc3155ced8198b222cf856127cf916b84906dc5149c
Instruction Fuzzy Hash: 9E919171A083409FD760CF29DE44B5A77E1AF8431CF548D2CE98987791E7B1D864CB92

Function 6C88EFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C88C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C88DAE2,?), ref: 6C88C6C2

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C88F0AE
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C88F0C8
PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C88F101
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C88F11D
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C95218C), ref: 6C88F183
SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6C88F19A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C88F1CB
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C88F1EF
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C88F210

Part of subcall function 6C8352D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6C88F1E9,?,00000000,?,?), ref: 6C8352F5
Part of subcall function 6C8352D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6C83530F
Part of subcall function 6C8352D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C835326
Part of subcall function 6C8352D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6C88F1E9,?,00000000,?,?), ref: 6C835340

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C88F227

Part of subcall function 6C87FAB0: free.MOZGLUE(?,-00000001,?,?,6C81F673,00000000,00000000), ref: 6C87FAC7

SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C88F23E

Part of subcall function 6C87BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C82E708,00000000,00000000,00000004,00000000), ref: 6C87BE6A
Part of subcall function 6C87BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C8304DC,?), ref: 6C87BE7E
Part of subcall function 6C87BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C87BEC2

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C88F2BB
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C88F3A8

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C88F3B3

Part of subcall function 6C832D20: PK11_DestroyObject.NSS3(?,?), ref: 6C832D3C
Part of subcall function 6C832D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C832D5F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
String ID:
API String ID: 1559028977-0
Opcode ID: f848e9821ee12159e18c5a0bfb1355f2e59d8f9b628a6a470e95cf614e0f4f92
Instruction ID: 63dd68207a2f7188d1ae65081236205d2d7be9f4de9a6a0caf0fdbc8f6c95870
Opcode Fuzzy Hash: f848e9821ee12159e18c5a0bfb1355f2e59d8f9b628a6a470e95cf614e0f4f92
Instruction Fuzzy Hash: F7D180B6E022059FDB24CFA9DA80A9EB7F5FF58308F158839D915A7B11E731E805CB50

Function 6C7AECC0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 741COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7AED0A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7AEE68
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C7AEF87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 6C7AEF98

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7AF483
%s at line %d of [%.10s], xrefs: 6C7AF492
database corruption, xrefs: 6C7AF48D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: _byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 4101233201-598938438
Opcode ID: b75c94e6fd249e7cabb06e20c43eecc0ca85408ca76af14ecca7b30dce50ef71
Instruction ID: d3fa499c57e61427fa6230a162965a4d0862e98c76ba01eeadad550c1326f1b4
Opcode Fuzzy Hash: b75c94e6fd249e7cabb06e20c43eecc0ca85408ca76af14ecca7b30dce50ef71
Instruction Fuzzy Hash: 09622330A05245CFEB14CFA5C68479ABBF1BF45318F2842ADD8556BB92D331E887CB90

Function 6C850EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C850F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C850FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C851006
PK11_FreeSymKey.NSS3(?), ref: 6C85101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C851033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C85103F
PK11_FreeSymKey.NSS3(00000000), ref: 6C851048
memcpy.VCRUNTIME140(?,?,?), ref: 6C85108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C8510BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C8510D6
memcpy.VCRUNTIME140(?,?,?), ref: 6C85112E

Part of subcall function 6C851570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C8508C4,?,?), ref: 6C8515B8
Part of subcall function 6C851570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C8508C4,?,?), ref: 6C8515C1
Part of subcall function 6C851570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C85162E
Part of subcall function 6C851570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C851637

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 8c4f8736eacb09fcf78c0899f4cbb8c25594f7d6a7124cffae9bebcc952b296c
Instruction ID: 2681c9bc8730b6c5f0f4de0b474287e822f1c7e4424806b94152c36e47bcc511
Opcode Fuzzy Hash: 8c4f8736eacb09fcf78c0899f4cbb8c25594f7d6a7124cffae9bebcc952b296c
Instruction Fuzzy Hash: E871E3B1A002058FDB60CFA9CE84A6AF7B0FF44358F548A3CE90997751E7B1D964CB91

Function 6C80C650 Relevance: 16.5, APIs: 7, Strings: 2, Instructions: 760COMMON

Download Yara Rule

Strings

0123456789ABCDEF, xrefs: 6C80D104
0123456789abcdef, xrefs: 6C80C859

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 0-885041942
Opcode ID: c51eb2b3a79767186e948ff59149bd7f34a5208d7069788b58467af706dfd8b2
Instruction ID: 992e2da797a3aa236fc88dc3220a3de2557d4ac1c968f9626aba36a38ae058f7
Opcode Fuzzy Hash: c51eb2b3a79767186e948ff59149bd7f34a5208d7069788b58467af706dfd8b2
Instruction Fuzzy Hash: B752F3707087058FD724DF28C99035ABBE2AF86358F148E2DE89587792E735D846CB63

Function 6C8F8550 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 528stringCOMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000021B,recovered %d pages from %s,00000000,?), ref: 6C8F85CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8F86CA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8F875F
memset.VCRUNTIME140(?,00000000,?), ref: 6C8F893A
sqlite3_free.NSS3(?), ref: 6C8F8977
sqlite3_free.NSS3 ref: 6C8F89A5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8F8B68
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8F8B79

Strings

recovered %d pages from %s, xrefs: 6C8F85C2

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@sqlite3_free$memsetsqlite3_logstrcmpstrlen
String ID: recovered %d pages from %s
API String ID: 1138475946-1623757624
Opcode ID: 776f7cbfeb2da807c096ac07ea457a3b697542eefc22daa7de97983f104eb380
Instruction ID: 09ed75a19b335cbcde09f2df47c5626ed861e4c4f1c84aaddfca706ced816f3d
Opcode Fuzzy Hash: 776f7cbfeb2da807c096ac07ea457a3b697542eefc22daa7de97983f104eb380
Instruction Fuzzy Hash: B7125A746083019FD714CF29C994B6BB7E5EF8A348F148D2DE9AA87751E730E806CB52

Function 6C876C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C821C6F,00000000,00000004,?,?), ref: 6C876C3F

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C821C6F,00000000,00000004,?,?), ref: 6C876C60
PR_ExplodeTime.NSS3(00000000,6C821C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C821C6F,00000000,00000004,?,?), ref: 6C876C94

Strings

gfff, xrefs: 6C876CFD
gfff, xrefs: 6C876D66
gfff, xrefs: 6C876CF5
gfff, xrefs: 6C876D9C
gfff, xrefs: 6C876D30

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: 3d7f1695b0c376b245cc19786175a52f358cf843bca4d17274ae2d472b3319fc
Instruction ID: d426c6a58bd63c7f44038b040984ffccf6fb1f7f04fcc840958e25a662f3fd39
Opcode Fuzzy Hash: 3d7f1695b0c376b245cc19786175a52f358cf843bca4d17274ae2d472b3319fc
Instruction Fuzzy Hash: 58513A72B016494FC718CEADDD526DEBBDAABA4310F48C23AE442DB781E638D906C751

Function 6C8F0F20 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 394stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,-00000001), ref: 6C8F1027
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8F10B2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8F1353

Strings

zeroblob(%d), xrefs: 6C8F1223
-- , xrefs: 6C8F0FF5
$, xrefs: 6C8F12A0
%lld, xrefs: 6C8F114B
'%.*q', xrefs: 6C8F1217, 6C8F1292
%02x, xrefs: 6C8F12F6
NULL, xrefs: 6C8F119E

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memcpy$strlen
String ID: $$%02x$%lld$'%.*q'$-- $NULL$zeroblob(%d)
API String ID: 2619041689-2155869073
Opcode ID: ad6587281db81a057b6834973a3605a4bba3a11f9eca8c72e6a83113ec3714bb
Instruction ID: 65ba9bb2875154eca0bb040097afedc819c17d8776808bd142ca4311ac8384c3
Opcode Fuzzy Hash: ad6587281db81a057b6834973a3605a4bba3a11f9eca8c72e6a83113ec3714bb
Instruction Fuzzy Hash: B7E1A1B16083809FD724CF58C580A6BBBF1AFC6398F148D2DE5A587B51E771E846CB42

Function 6C8F8FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8F8FEE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8F90DC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8F9118
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8F915C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8F91C2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8F9209

Strings

UUUU, xrefs: 6C8F9255
3333, xrefs: 6C8F925E

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 3333$UUUU
API String ID: 1967222509-2679824526
Opcode ID: 203b5cdcef4223352c1b7cb9120ddbe211a5dc6f66945f131f8810ccb385f370
Instruction ID: 88155b6b27c73f29b103f4bac2f1672ba3936454f1f3a14d2e9d27167d003cb6
Opcode Fuzzy Hash: 203b5cdcef4223352c1b7cb9120ddbe211a5dc6f66945f131f8810ccb385f370
Instruction Fuzzy Hash: 23A1BF72E001159BDB14CF68CD90BAEB7B5BF88364F194529E919E7341E736EC42CBA0

Function 6C7B0FE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 6C7ACA30: EnterCriticalSection.KERNEL32(?,?,?,6C80F9C9,?,6C80F4DA,6C80F9C9,?,?,6C7D369A), ref: 6C7ACA7A
Part of subcall function 6C7ACA30: LeaveCriticalSection.KERNEL32(?), ref: 6C7ACB26

memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6C7B103E
EnterCriticalSection.KERNEL32(?), ref: 6C7B1139
LeaveCriticalSection.KERNEL32(?), ref: 6C7B1190
sqlite3_free.NSS3(00000000), ref: 6C7B1227
sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6C7B126E
sqlite3_free.NSS3(?), ref: 6C7B127F

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 6C7B1267
winAccess, xrefs: 6C7B129B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 2733752649-1873940834
Opcode ID: 9830ce2def11b73645cb94d72a49e33b6cb80bdf216e71297a5699c248e24c96
Instruction ID: d8b3ec1449ba718b46fd7c34daa70f7026cf23e52ea2579a509cb212c29fea34
Opcode Fuzzy Hash: 9830ce2def11b73645cb94d72a49e33b6cb80bdf216e71297a5699c248e24c96
Instruction Fuzzy Hash: 9071083170A615DFEB049F24DE99AAA3375EF87354F244639F915E7A80DB30D801CBA2

Function 6C7BAEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6C8DCF46,?,6C7ACDBD,?,6C8DBF31,?,?,?,?,?,?,?), ref: 6C7BB039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C8DCF46,?,6C7ACDBD,?,6C8DBF31), ref: 6C7BB090
sqlite3_free.NSS3(?,?,?,?,?,?,6C8DCF46,?,6C7ACDBD,?,6C8DBF31), ref: 6C7BB0A2
CloseHandle.KERNEL32(?,?,6C8DCF46,?,6C7ACDBD,?,6C8DBF31,?,?,?,?,?,?,?,?,?), ref: 6C7BB100
sqlite3_free.NSS3(?,?,00000002,?,6C8DCF46,?,6C7ACDBD,?,6C8DBF31,?,?,?,?,?,?,?), ref: 6C7BB115
sqlite3_free.NSS3(?,?,?,?,?,?,6C8DCF46,?,6C7ACDBD,?,6C8DBF31), ref: 6C7BB12D

Part of subcall function 6C7A9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C7BC6FD,?,?,?,?,6C80F965,00000000), ref: 6C7A9F0E
Part of subcall function 6C7A9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C80F965,00000000), ref: 6C7A9F5D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID:
API String ID: 3155957115-0
Opcode ID: 67ec37f2cc7ab7da5f3f30f0c0987e45556edd8e47c77639dd7e2dd1db240fa2
Instruction ID: 2da4fad8a20afba6f3ae6dceba0103d11e4eaced1e91db518b0dfc8e95ee2266
Opcode Fuzzy Hash: 67ec37f2cc7ab7da5f3f30f0c0987e45556edd8e47c77639dd7e2dd1db240fa2
Instruction Fuzzy Hash: CD91E1B1A08205CFDB14DF64CA84AABB7B5FF46318F244A3DE416A7A50EB31E845CB51

Function 6C938D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C9814E4,6C8ECC70), ref: 6C938D47
PR_GetCurrentThread.NSS3 ref: 6C938D98

Part of subcall function 6C810F00: PR_GetPageSize.NSS3(6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F1B
Part of subcall function 6C810F00: PR_NewLogModule.NSS3(clock,6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C938E7B
htons.WSOCK32(?), ref: 6C938EDB
PR_GetCurrentThread.NSS3 ref: 6C938F99
PR_GetCurrentThread.NSS3 ref: 6C93910A

Strings

%u.%u.%u.%u, xrefs: 6C938E74

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: 7561d32836b08b204833371a67b36033a0e6ff45416706fd6cb48d658b6e6f6d
Instruction ID: ce531b544d2afacefe04cd2e96a5cbc316ef1ff641c4ab4738ef79532b2a339e
Opcode Fuzzy Hash: 7561d32836b08b204833371a67b36033a0e6ff45416706fd6cb48d658b6e6f6d
Instruction Fuzzy Hash: 2802DD319092718FDB18CF19C458366BBB7EF43308F1A825AD8996FB91C735DA09C790

Function 6C8DA480 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C8FC3A2,?,?,00000000,00000000), ref: 6C8DA528
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8DA6E0
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8DA71B
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8DA738

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8DA6CA
%s at line %d of [%.10s], xrefs: 6C8DA6D9
database corruption, xrefs: 6C8DA6D4

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: _byteswap_ushort$_byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 622669576-598938438
Opcode ID: f13a7d7bcedd91baf679fb311a37efc072c447d09003a1c7ef592ace832ef01f
Instruction ID: 4650a3231467910eafb07eca5f86b045ffaf70cf1810120a685807c34d6e22b1
Opcode Fuzzy Hash: f13a7d7bcedd91baf679fb311a37efc072c447d09003a1c7ef592ace832ef01f
Instruction Fuzzy Hash: 9891F3716083158BC724CF69C5806AAB7F1BF48314F664E6DE8958BB91EB70FC45C782

Function 6C8B4540 Relevance: 12.2, APIs: 8, Instructions: 170COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8B4571
memset.VCRUNTIME140(?,00000000,00000000), ref: 6C8B45B1
memcpy.VCRUNTIME140(?,?,00000020), ref: 6C8B45C2

Part of subcall function 6C8B04C0: WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C8B461B,-00000004), ref: 6C8B04DF
Part of subcall function 6C8B04C0: PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C8B461B,-00000004), ref: 6C8B0534

PR_Now.NSS3 ref: 6C8B4626

Part of subcall function 6C8E9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DC6
Part of subcall function 6C8E9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DD1
Part of subcall function 6C8E9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8E9DED

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8B4634
memcmp.VCRUNTIME140(?,?,?,00000000,?,000F4240,00000000), ref: 6C8B46C4
PR_SetError.NSS3(FFFFD05A,00000000,00000000,?,000F4240,00000000), ref: 6C8B46E3
PR_SetError.NSS3(?,00000000), ref: 6C8B4722

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorTime$SystemUnothrow_t@std@@@__ehfuncinfo$??2@$FileObjectSingleValueWaitmemcmpmemcpymemset
String ID:
API String ID: 1183590942-0
Opcode ID: 626612384147e99619851185893a3254adc4239866fe87bfccfd68da8e0f43a5
Instruction ID: 60bf42e011f92679ad8f40f3f6140310009d77c6770f5e37b0172436b707362b
Opcode Fuzzy Hash: 626612384147e99619851185893a3254adc4239866fe87bfccfd68da8e0f43a5
Instruction Fuzzy Hash: E261D2B1A046059FEB20CF68D985B9AB7F1FF9A308F144928E845ABB51E730E915CB40

Function 6C7BEFB0 Relevance: 12.1, Strings: 9, Instructions: 815COMMON

Download Yara Rule

Strings

table, xrefs: 6C7BF05C, 6C7BFABC, 6C7BFAC7
not authorized, xrefs: 6C7BF957, 6C7BF9BA
authorizer malfunction, xrefs: 6C7BF95C, 6C7BF9BF, 6C7BFA5E, 6C7BFA8B
%s %T already exists, xrefs: 6C7BFAC8
view, xrefs: 6C7BF061, 6C7BF071, 6C7BFAB7
temporary table name must be unqualified, xrefs: 6C7BF734
sqlite_temp_master, xrefs: 6C7BF0A6, 6C7BF2D5
sqlite_master, xrefs: 6C7BF0AB, 6C7BF2DA, 6C7BF757, 6C7BF93E
there is already an index named %s, xrefs: 6C7BF9D7

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: %s %T already exists$authorizer malfunction$not authorized$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 3168844106-1126224928
Opcode ID: 4daa9fee699d047635f2833e6c3e42b6584313728f1238dc005d7b20c4230c09
Instruction ID: 4b362b2c5a3a0251e0d8ad851e82e3e0423d475a2acc6e85f20d7a88c517240a
Opcode Fuzzy Hash: 4daa9fee699d047635f2833e6c3e42b6584313728f1238dc005d7b20c4230c09
Instruction Fuzzy Hash: C072E278E042058FDB14CF29C684BAABBF1FF49708F1481ADD914ABB52D775E846CB90

Function 6C834420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C834444
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C834466

Part of subcall function 6C881200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C881228
Part of subcall function 6C881200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C881238
Part of subcall function 6C881200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C88124B
Part of subcall function 6C881200: PR_CallOnce.NSS3(6C982AA4,6C8812D0,00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C88125D
Part of subcall function 6C881200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C88126F
Part of subcall function 6C881200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C881280
Part of subcall function 6C881200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C88128E
Part of subcall function 6C881200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C88129A
Part of subcall function 6C881200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C8812A1

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C83447A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C83448A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C834494

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Item_Zfree$ArenaCriticalFreePoolSectionfree$Arena_CallClearDeleteEnterOnceUnlockValuememset
String ID:
API String ID: 241050562-0
Opcode ID: 6f8328db7a022c80a1ac9990dc35c1ecd36ed1e0ac917d4eb4ce38126b82cb46
Instruction ID: 036ed763b8270d6469aea0a405cd1e9497bcb6825132c55c5d6d18668a7d4e20
Opcode Fuzzy Hash: 6f8328db7a022c80a1ac9990dc35c1ecd36ed1e0ac917d4eb4ce38126b82cb46
Instruction Fuzzy Hash: B71196B2D017149BD7308F659D405A7B7F8FF9921C7145F3EE89D52A00F371B59886A0

Function 6C93CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C93D086
PR_Malloc.NSS3(00000001), ref: 6C93D0B9
PR_Free.NSS3(?), ref: 6C93D138

Strings

>, xrefs: 6C93CF5B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: d4e3eca2bf5edfa508cfd80a61bb9cb2bab03e2c8d64b0681d1d9253280577ad
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: 4ED17B63B51A7A0BEB28487C8CB13EA77978743378F582325D1299BBE5E719C9438341

Function 6C8DAD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6de56c12ff7e7965ddb5983b3980ca8176885f18052fb213a56303e312b2c5
Instruction ID: 17585b4d37eeb6ba076845f69bacafb69f7497c5ec6e49a8fd02f5be20e95eac
Opcode Fuzzy Hash: cc6de56c12ff7e7965ddb5983b3980ca8176885f18052fb213a56303e312b2c5
Instruction Fuzzy Hash: EEF1BE71E0A265CFDB15CF28CA447FA77B0AB8B308F264A29C915D7740E774A945CBE0

Function 6C8B25B0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,6C895A85), ref: 6C8B2675
PK11_Encrypt.NSS3(?,00001081,00000000,?,?,00000010,?,00000010), ref: 6C8B2659

Part of subcall function 6C863850: TlsGetValue.KERNEL32 ref: 6C86389F
Part of subcall function 6C863850: EnterCriticalSection.KERNEL32(?), ref: 6C8638B3
Part of subcall function 6C863850: PR_Unlock.NSS3(?), ref: 6C8638F1
Part of subcall function 6C863850: TlsGetValue.KERNEL32 ref: 6C86390F
Part of subcall function 6C863850: EnterCriticalSection.KERNEL32(?), ref: 6C863923
Part of subcall function 6C863850: PR_Unlock.NSS3(?), ref: 6C863972

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8B2697
PK11_Encrypt.NSS3(?,?,?,?,00000000,6C895A85,?,6C895A85), ref: 6C8B2717

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEncryptEnterK11_SectionUnlockValue$Errormemcpy
String ID:
API String ID: 3114817199-0
Opcode ID: 47ecf1346436efe9160359f25ac2a56e52054bdcd1f1811381e593f200240dd2
Instruction ID: ef8ed036ff9a608c528dfd131e9727191afd9dc89e66021a72cc14472e9b3d44
Opcode Fuzzy Hash: 47ecf1346436efe9160359f25ac2a56e52054bdcd1f1811381e593f200240dd2
Instruction Fuzzy Hash: 54414771A083856AFB318E18CD89FDB73A8EFC6718F204919E94426741EB35998587D3

Function 6C808540 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 782COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000011C,automatic index on %s(%s),?,00000001), ref: 6C808705

Strings

BINARY, xrefs: 6C808B02, 6C808DA2, 6C808E27, 6C808E60
automatic index on %s(%s), xrefs: 6C8086FB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: BINARY$automatic index on %s(%s)
API String ID: 632333372-611788421
Opcode ID: cf92c3fa11afe2f94ede678a60763b8ce9525b4d23f840431d16b662a88df95e
Instruction ID: b93c67f59b33283a982c98fcabb2ddc922bb13efc0a74c2ee6380357a5611417
Opcode Fuzzy Hash: cf92c3fa11afe2f94ede678a60763b8ce9525b4d23f840431d16b662a88df95e
Instruction Fuzzy Hash: B862BF75A083419FD714CF28C981B1AB7F1BF89348F148A5EE8999B751D731EC86CB82

Function 6C7F64D0 Relevance: 5.7, Strings: 4, Instructions: 724COMMON

Download Yara Rule

Strings

WB|l, xrefs: 6C7F679E
not authorized, xrefs: 6C7F6D47, 6C7F6D4C
authorizer malfunction, xrefs: 6C7F6E3E
WB|l, xrefs: 6C7F655C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID: WB|l$WB|l$authorizer malfunction$not authorized
API String ID: 0-2285873704
Opcode ID: 673164a06c301a8f49da19ad99ef6cbfc6ae369741be51c950232630ecba64d0
Instruction ID: cb9400dde6a4fb1f7e8701f8f4c247d09d3b5cbb1f1ba1715352ca3514984cc1
Opcode Fuzzy Hash: 673164a06c301a8f49da19ad99ef6cbfc6ae369741be51c950232630ecba64d0
Instruction Fuzzy Hash: F0627F70A04204CFDB14CF29C584AA97BF2FF89308F2581ADD9259B766D736E917CB90

Function 6C7B6F10 Relevance: 5.2, Strings: 4, Instructions: 218COMMON

Download Yara Rule

Strings

unordered*, xrefs: 6C7B702B
sz=[0-9]*, xrefs: 6C7B7049
*?[, xrefs: 6C7B7034, 6C7B7052, 6C7B7070
noskipscan*, xrefs: 6C7B7067

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID: *?[$noskipscan*$sz=[0-9]*$unordered*
API String ID: 0-3485574213
Opcode ID: 8ecf69f1ee5a5530f6d8d814a5fa957a4dc444183f749697ff5bc3c76d33985f
Instruction ID: 134a92173b3a775b9d7b3f23956aaf4b6ce6cc3adc601004a109f33bf31896c0
Opcode Fuzzy Hash: 8ecf69f1ee5a5530f6d8d814a5fa957a4dc444183f749697ff5bc3c76d33985f
Instruction Fuzzy Hash: 0771AA32F002194BEB148E6DC98039A73A29FC1314F294279CD69BBFC2D6719D0687F1

Function 6C84EE70 Relevance: 3.2, APIs: 2, Instructions: 223COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C84F019
PK11_GenerateRandom.NSS3(?,00000000), ref: 6C84F0F9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorGenerateK11_Random
String ID:
API String ID: 3009229198-0
Opcode ID: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction ID: 8265857f24cc8c64f510173df65726ab21c0199d70517b91d59d0857f3a7e83f
Opcode Fuzzy Hash: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction Fuzzy Hash: 64919171A0071A8BCB24CF68C9916AEB7F1FF95325F148B2DD962A7BC0D730A905CB51

Function 6C816410 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

bind.WSOCK32(?,?,?,?,6C816401,?,?,0000001C), ref: 6C816422
WSAGetLastError.WSOCK32(?,?,?,?,6C816401,?,?,0000001C), ref: 6C816432

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorLastbind
String ID:
API String ID: 2328862993-0
Opcode ID: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction ID: 054bef670dc2f0f00ad5fd25e3545aef53605b02c5a14e3cb8c725d281ab148c
Opcode Fuzzy Hash: f456ccdb1e3c1fd0dfe4ea7f50aef8be549060bf7dd6523552c17151d2cde162
Instruction Fuzzy Hash: 2FE01D351541196FCB019FB4DC0486B37D5DF2822C750C950F91DC7A71E731D955C780

Function 6C890E20 Relevance: 2.8, APIs: 2, Instructions: 279COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C891052
memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C891086

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 9183448f70b219bc2dcb62b9d94cbcbc69de1daadf3d94bdb5b8548a93534e82
Instruction ID: 08c8e89bf3f374eea468f7870e5e56a512e2c42a1f84f8c9b395693c03f0c054
Opcode Fuzzy Hash: 9183448f70b219bc2dcb62b9d94cbcbc69de1daadf3d94bdb5b8548a93534e82
Instruction Fuzzy Hash: EEA14A71A0125A9FCF18CF9DC990AEEBBB6BF8D314B148529E905A7700D735ED01CBA0

Function 6C7BAC60 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

winUnlock, xrefs: 6C7BAE18
winUnlockReadLock, xrefs: 6C7BAE9F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID: winUnlock$winUnlockReadLock
API String ID: 0-3432436631
Opcode ID: 6a5ddf6ba41bfcc7bc3d2f10c00135df3dc45e0a240d650393747ca35712a09c
Instruction ID: 54a43b4b52b25c3477e6f33d03b7ae2d91d71ca9e18a8da2393180f2b5702969
Opcode Fuzzy Hash: 6a5ddf6ba41bfcc7bc3d2f10c00135df3dc45e0a240d650393747ca35712a09c
Instruction Fuzzy Hash: 50719F706093449FDB14DF28D890AABBBF5FF8A314F24CA28F94997211D730A985CBD1

Function 6C87ED70 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C), ref: 6C87EE3D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Alloc_ArenaUtil
String ID:
API String ID: 2062749931-0
Opcode ID: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction ID: 771189662b4bc1e2dc851bdbab4d698820205d1d59b2c3c90bfe82ab20db1ab3
Opcode Fuzzy Hash: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction Fuzzy Hash: 0F71D572E01B058FD738CF59C9806AEB7F2AB98304F154A6DD85597B91E730E940CBA1

Function 6C7B4DB0 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C7B5125

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID: winUnlockReadLock
API String ID: 0-4244601998
Opcode ID: c84d1cb57055eaf8750c3e57d55d3377b5dd7884bef6762e94376bee31df3056
Instruction ID: 493d525c3a598f225c61b677c99e36d88088e3b3fea99495028720a662c5bf2b
Opcode Fuzzy Hash: c84d1cb57055eaf8750c3e57d55d3377b5dd7884bef6762e94376bee31df3056
Instruction Fuzzy Hash: 26E11D70A09344CFDB05DF28D59465ABBF0FF8A318F258A1DF889A7251E7309985CF92

Function 6C7D46D0 Relevance: 1.0, Instructions: 958COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aad08f6fcb721b55373833c8af79f614071d84f5fca98d2408fe02d3f8c4718
Instruction ID: 55ddad9e4d4491de8d8dd2ae24baa56eb541b89bd6c399159d18924528e3d2ca
Opcode Fuzzy Hash: 3aad08f6fcb721b55373833c8af79f614071d84f5fca98d2408fe02d3f8c4718
Instruction Fuzzy Hash: C0929074A00205CFCB15CF58C590AAABBF2FF89318F2982ADC9556B756D731F942CB90

Function 6C83E5F0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEnterExitMonitorSectionUnlockValue
String ID:
API String ID: 344640607-0
Opcode ID: 2f06de32957ef09d859428503f12e031f1fc8e63e375d6a8f69af95bc2c21204
Instruction ID: f5c886340e70f173d62b87208aa925b8eef73a01a6dee258c134a9b0be5c50bb
Opcode Fuzzy Hash: 2f06de32957ef09d859428503f12e031f1fc8e63e375d6a8f69af95bc2c21204
Instruction Fuzzy Hash: F8D1C1B1D006289BEB219F94DA407EE77B5AF4530CF042938E80967B41E735ED19CBD2

Function 6C7A45B0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3689f7e97c0f7916ee6bb5f86f6ca18c9b4596427cab059dbfcf74e6d6ec88
Instruction ID: b95cf35ea91386ffa6754bf90618c3aab04b3513ed3976bd536564d4aee10841
Opcode Fuzzy Hash: 1b3689f7e97c0f7916ee6bb5f86f6ca18c9b4596427cab059dbfcf74e6d6ec88
Instruction Fuzzy Hash: E1D1C572E006168BCB0CCF99C9901AEBBF2BF98314719866ED4459B751DB75D903DB80

Function 6C83A430 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a931ebbc58fbb8097661cf202180ebc9c6a73185f91cf81c81ddab875d7d7dc
Instruction ID: 60871de7044cdb4c6a7f73a801c87048dc665dd41a5bcfd6022f02773efc7c0b
Opcode Fuzzy Hash: 9a931ebbc58fbb8097661cf202180ebc9c6a73185f91cf81c81ddab875d7d7dc
Instruction Fuzzy Hash: 0E816D706012298FDF28CFD8D684BEA7BE4AF48304F15A56DE81A9B750DB74D941CBD0

Function 6C818EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715246d3722bf172006b7c2b050c5e983f5cb3fa8375e1a9af742d3eee2a7ae7
Instruction ID: 444d134e44958cfd4c7173c2b5484152ea395ae2c2afc6924a56cb5e37f33008
Opcode Fuzzy Hash: 715246d3722bf172006b7c2b050c5e983f5cb3fa8375e1a9af742d3eee2a7ae7
Instruction Fuzzy Hash: 9F110132A0921A8FD724CF24D989B5AB3E6FF4231CF164A6AD8058FE41C375D882C7D1

Function 6C8F0C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c09c7fe9b011fa4820cbf5e0b5d055e6f546ab1de936b0ce2d69b164fdde7f8
Instruction ID: e7992831b913543a504e60d3e7b12e1552cc12f00b19e0fefcba49819325b42e
Opcode Fuzzy Hash: 4c09c7fe9b011fa4820cbf5e0b5d055e6f546ab1de936b0ce2d69b164fdde7f8
Instruction Fuzzy Hash: 6211C175708345CFCB10DF18C89466A77A5FF853A8F248569D8298B701EB31E807CBA0

Function 6C8644C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80723c9d54c6edf4bda9fed24880c6addac062634250e64ac1192b1d62844ad6
Instruction ID: f7f7513436ce6750c58cf1b9a27fba874005a3d69d3735ec47e1d2ab327901ab
Opcode Fuzzy Hash: 80723c9d54c6edf4bda9fed24880c6addac062634250e64ac1192b1d62844ad6
Instruction Fuzzy Hash: 26110976E002199F8B10CF99D9809EFBBF9EF8D664B554429ED18E7301D230ED108BE1

Function 6C864440 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f003740fe83e4183bfbccd476010936a6aee65cdb1abd321154c0d53a823e63f
Instruction ID: 117d235e914d680f3fbb1d5b1549e96f7bbacd038a88bd1f1ffe422dbde5929f
Opcode Fuzzy Hash: f003740fe83e4183bfbccd476010936a6aee65cdb1abd321154c0d53a823e63f
Instruction Fuzzy Hash: 6111C975A002199F9B10DF59C9819EFB7F9EF8C214B16456AED18E7301E630ED118BE1

Function 6C8F0D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 1d07f51318af76ce3f011a7147e7a8572132c904cce0693fdcab5eac3e09d81a
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: EAE0D83A202054AFDB249F49C550AA97359DFC165AFB8897DCC6D9FA01D733F80387A1

Function 6C848670 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$K11_$Alloc_ArenaArena_DoesFindMechanismTag_
String ID:
API String ID: 2003479236-0
Opcode ID: 23e773cf1430b448038cb5704f69fb380029e02cc391f3ea17a25ad626348aa6
Instruction ID: 66864463af68b382b9d5e4019cafa03b37aaf9ca350a4243f6980069669e74c0
Opcode Fuzzy Hash: 23e773cf1430b448038cb5704f69fb380029e02cc391f3ea17a25ad626348aa6
Instruction Fuzzy Hash: 4EE0B6B0C08B489BD708DF6AD54106AFBE4AFD8214F00D92DFC9C87212E730A5D48B82

Function 6C81CC60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0388a4be2acd6362861b2286acc38eb35bd26a0162c2c4bdd44d471ec0220394
Instruction ID: 3f1522539cedd48d6c6b12e58fa5b1ba14f68a0203bc9889228bca4262201183
Opcode Fuzzy Hash: 0388a4be2acd6362861b2286acc38eb35bd26a0162c2c4bdd44d471ec0220394
Instruction Fuzzy Hash: 6AC04838248608CFC704DE08E4999A53BA8AF0A6107240094EA028B721EA21F800CA80

Function 6C826740 Relevance: 45.6, APIs: 14, Strings: 12, Instructions: 122COMMON

Download Yara Rule

APIs

PL_strcasecmp.NSS3(?,other), ref: 6C82674D
PL_strcasecmp.NSS3(?,email), ref: 6C826763
PL_strcasecmp.NSS3(?,rfc822), ref: 6C826779
PL_strcasecmp.NSS3(?,dns), ref: 6C82678F
PL_strcasecmp.NSS3(?,x400), ref: 6C8267A5
PL_strcasecmp.NSS3(?,x400addr), ref: 6C8267BB
PL_strcasecmp.NSS3(?,directory), ref: 6C8267D1
PL_strcasecmp.NSS3(?,6C95C3B1), ref: 6C8267E7
PL_strcasecmp.NSS3(?,edi), ref: 6C8267FD
PL_strcasecmp.NSS3(?,ediparty), ref: 6C826813
PL_strcasecmp.NSS3(?,uri), ref: 6C826829
PL_strcasecmp.NSS3(?,6C95B3F4), ref: 6C82683F
PL_strcasecmp.NSS3(?,ipaddr), ref: 6C826851
PL_strcasecmp.NSS3(?,registerid), ref: 6C826863

Strings

rfc822, xrefs: 6C826773
ipaddr, xrefs: 6C82684B
other, xrefs: 6C826747
dns, xrefs: 6C826789
uri, xrefs: 6C826823
directory, xrefs: 6C8267CB
registerid, xrefs: 6C82685D
x400, xrefs: 6C82679F
ediparty, xrefs: 6C82680D
edi, xrefs: 6C8267F7
x400addr, xrefs: 6C8267B5
email, xrefs: 6C82675D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: L_strcasecmp
String ID: directory$dns$edi$ediparty$email$ipaddr$other$registerid$rfc822$uri$x400$x400addr
API String ID: 4194642261-1102114343
Opcode ID: 0bc654358c50fc957320f2db36a380fb938a1fd8e236842266c67e45ee195f4d
Instruction ID: b7e29b14c7176c232bbd491c68bc68b7cd1b2c61860e6c8a985e667eff571a48
Opcode Fuzzy Hash: 0bc654358c50fc957320f2db36a380fb938a1fd8e236842266c67e45ee195f4d
Instruction Fuzzy Hash: 12314986A0252673EF3451296F0CBAA2269CB5624FF400C35FD44E1E84FB8DD6AD81F6

Function 6C8A67C0 Relevance: 45.3, APIs: 30, Instructions: 254COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(53E58955,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A67D4

Part of subcall function 6C8295B0: TlsGetValue.KERNEL32(00000000,?,6C8400D2,00000000), ref: 6C8295D2
Part of subcall function 6C8295B0: EnterCriticalSection.KERNEL32(?,?,?,6C8400D2,00000000), ref: 6C8295E7
Part of subcall function 6C8295B0: PR_Unlock.NSS3(?,?,?,?,6C8400D2,00000000), ref: 6C829605

Part of subcall function 6C8AF2E0: free.MOZGLUE(-00000694,00000000,?,6C8B2B36,-00000694), ref: 6C8AF2F4

SECKEY_DestroyPrivateKey.NSS3(EC835657,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A67E7
free.MOZGLUE(83CF893E,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A67FA
CERT_DestroyCertificate.NSS3(?,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6828
PORT_FreeArena_Util.NSS3(04890424,00000000,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6838
SECKEY_DestroyPublicKey.NSS3(8B088B0A,6C8B5D40,00000000,?,6C8BAAD4,?,?,?,?,?,?,?,?,00000000,?,6C8B80C1), ref: 6C8A685B
CERT_DestroyCertificate.NSS3(8904508B,6C8B5D40,00000000,?,6C8BAAD4,?,?,?,?,?,?,?,?,00000000,?,6C8B80C1), ref: 6C8A686E
PORT_FreeArena_Util.NSS3(?,00000000,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A688D
PORT_FreeArena_Util.NSS3(C0850001,00000000,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A68A9
PK11_DestroyContext.NSS3(896C9816,00000001,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A68BE
PK11_DestroyContext.NSS3(15FF2404,00000001,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A68D3
PK11_DestroyContext.NSS3(6C97CCEC,00000001,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A68E8
PK11_DestroyContext.NSS3(8504EC83,00000001,00000000,00000060,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A68FD
free.MOZGLUE(892C4889), ref: 6C8A6940
SECITEM_ZfreeItem_Util.NSS3(6C8B6218,00000000), ref: 6C8A6953
SECITEM_ZfreeItem_Util.NSS3(6C8B6310,00000000,6C8B5D40,00000000,?,6C8BAAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C8A6963
SECITEM_ZfreeItem_Util.NSS3(6C8B6390,00000000,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6973
free.MOZGLUE(894AD231,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A699E
PK11_FreeSymKey.NSS3(0F6C9560,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A69EE
PK11_FreeSymKey.NSS3(4E89C844,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A01
PK11_FreeSymKey.NSS3(01EAE904,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A14
PK11_FreeSymKey.NSS3(E3830000,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A27
PK11_FreeSymKey.NSS3(1BE3C101,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A3A
PK11_FreeSymKey.NSS3(FFFFFFB8,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A4D
PK11_FreeSymKey.NSS3(023DE9F7,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A60
PK11_FreeSymKey.NSS3(E3830000,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A73
PK11_FreeSymKey.NSS3(0CE3C101,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A86
PK11_FreeSymKey.NSS3(FFEFFFB8,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6A99

Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE10
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE24
Part of subcall function 6C86ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C84D079,00000000,00000001), ref: 6C86AE5A
Part of subcall function 6C86ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE6F
Part of subcall function 6C86ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE7F
Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEB1
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEC9

PK11_HPKE_DestroyContext.NSS3(15FF2404,00000001,?,?,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8A6AD1
free.MOZGLUE(6C97CCEC,?,?,?,?,?,?,?,?,?,?,?,?,6C8B5D40,00000000), ref: 6C8A6AE4

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$Free$Destroy$Utilfree$Context$Arena_CertificateCriticalEnterItem_SectionValueZfree$Unlock$PrivatePublicmemset
String ID:
API String ID: 474436658-0
Opcode ID: 82d8531e156816d97acb5a6c40267020a5c48f43b3c49eafdd8e810bea45ffb3
Instruction ID: 6d07c2f33511d97fef1d9112fb49c3ef199b9c6b23b5da5772c749176b40e05e
Opcode Fuzzy Hash: 82d8531e156816d97acb5a6c40267020a5c48f43b3c49eafdd8e810bea45ffb3
Instruction Fuzzy Hash: E2814EF5A00B0057EA30DAB9EE85BD776EC6F1064DF044C38E46AD7A41FB25F119CA62

Function 6C8F6E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7ACA30: EnterCriticalSection.KERNEL32(?,?,?,6C80F9C9,?,6C80F4DA,6C80F9C9,?,?,6C7D369A), ref: 6C7ACA7A
Part of subcall function 6C7ACA30: LeaveCriticalSection.KERNEL32(?), ref: 6C7ACB26

memset.VCRUNTIME140(00000000,00000000,?,?,6C7BBE66), ref: 6C8F6E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C7BBE66), ref: 6C8F6E98
sqlite3_snprintf.NSS3(?,00000000,6C95AAF9,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C7BBE66), ref: 6C8F6ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C7BBE66), ref: 6C8F6FA6
sqlite3_snprintf.NSS3(?,00000000,6C95AAF9,00000000,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F6FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F7014
sqlite3_free.NSS3(00000000,?,?,?,?,6C7BBE66), ref: 6C8F701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C7BBE66), ref: 6C8F7030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6C7BBE66), ref: 6C8F7079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F7097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C7BBE66), ref: 6C8F70A0

Strings

winGetTempname1, xrefs: 6C8F708F
winGetTempname5, xrefs: 6C8F7071
winGetTempname2, xrefs: 6C8F70C4
mz_etilqs_, xrefs: 6C8F6F18
winGetTempname4, xrefs: 6C8F7046

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-707647140
Opcode ID: 7e786dd7a21e11e3ceea12b648f64c2784b410398f36de5f764f5f58d5355f5d
Instruction ID: ba5e31e91f21e772548c7605055fed34fb6ca077a7b5b60d6019af8babb9f477
Opcode Fuzzy Hash: 7e786dd7a21e11e3ceea12b648f64c2784b410398f36de5f764f5f58d5355f5d
Instruction Fuzzy Hash: 33518E72A0411167F32096349D59FBB366A9FD2398F240B34E82597BC2FF26D51F82D2

Function 6C884FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C8375C2,00000000,00000000,00000001), ref: 6C885009
PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6C8375C2,00000000), ref: 6C885049
PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C88505D
PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6C885071
PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6C885089
PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8850A1
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C8850B2
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C8375C2), ref: 6C8850CB
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8850D9
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C8850F5
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C885103
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C88511D
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C88512B
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C885145
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C885153
free.MOZGLUE(?), ref: 6C88516D
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C88517B
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C885195

Strings

name=, xrefs: 6C885057
config=, xrefs: 6C88509B
parameters=, xrefs: 6C88506B
nss=, xrefs: 6C885083
library=, xrefs: 6C885043

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
String ID: config=$library=$name=$nss=$parameters=
API String ID: 391827415-203331871
Opcode ID: 81fc003d8f3d60a88c942c0dfc11a796b542e270dab361f675f896bfab8e0158
Instruction ID: d95c86778c2c6e06a8160473b13c4ed8504c594bbf5e19607ff47edf4b0f05ef
Opcode Fuzzy Hash: 81fc003d8f3d60a88c942c0dfc11a796b542e270dab361f675f896bfab8e0158
Instruction Fuzzy Hash: 4C5176B5A022155BFB21DF24DE41AAF37A8AF06248F140834EC5AE7F41E735E915C7B2

Function 6C884C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C874F51,00000000), ref: 6C884C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C874F51,00000000), ref: 6C884C5B
PR_smprintf.NSS3(6C95AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C874F51,00000000), ref: 6C884C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C874F51,00000000), ref: 6C884CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C884CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C884CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C884D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C874F51,00000000), ref: 6C884D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C874F51,00000000), ref: 6C884D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C884D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C884DA2
free.MOZGLUE(?), ref: 6C884DB9
free.MOZGLUE(00000000), ref: 6C884DCF

Strings

rootFlags, xrefs: 6C884D47
%s,%s, xrefs: 6C884C4B
any, xrefs: 6C884C96
rust, xrefs: 6C884D22
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C884D9D
slotFlags, xrefs: 6C884D34
every, xrefs: 6C884CA1
0x%08lx=[%s %s], xrefs: 6C884D80
timeout, xrefs: 6C884C91
ootT, xrefs: 6C884D1A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 8fb4bd5f5779e535d3243505d6ae7efa0194731622b0195ac8836831e101cdfd
Instruction ID: 01260d9c0800798e721a92ab356a3c93853c35feacef09d281b46cab992d1e48
Opcode Fuzzy Hash: 8fb4bd5f5779e535d3243505d6ae7efa0194731622b0195ac8836831e101cdfd
Instruction Fuzzy Hash: 1941ACB3D021416BDB329F189D54ABA366DAFD2309F594534E80A0BF02E735D924C7E3

Function 6C85E640 Relevance: 34.8, APIs: 23, Instructions: 266memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,6C868C5B,-00000001), ref: 6C85E655

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

PK11_GetIVLength.NSS3(-00000001,?,?,6C868C5B,-00000001), ref: 6C85E7DE
PORT_Alloc_Util.NSS3(00000000,?,?,?,6C868C5B,-00000001), ref: 6C85E7F4
PK11_GenerateRandom.NSS3(00000000,00000000,?,?,?,?,6C868C5B,-00000001), ref: 6C85E807
PK11_GetIVLength.NSS3(-00000001,?,?,6C868C5B,-00000001), ref: 6C85E81B
PORT_Alloc_Util.NSS3(00000000,?,?,?,6C868C5B,-00000001), ref: 6C85E82E
PK11_GenerateRandom.NSS3(00000000,00000000,?,?,?,?,6C868C5B,-00000001), ref: 6C85E841
free.MOZGLUE(00000000,?,?,?,?,?,?,6C868C5B,-00000001), ref: 6C85E852
PORT_Alloc_Util.NSS3(00000004,?,?,6C868C5B,-00000001), ref: 6C85E878
free.MOZGLUE(00000000,?,?,6C868C5B,-00000001), ref: 6C85E8AB
PORT_Alloc_Util.NSS3(0000000C,?,?,?,6C868C5B,-00000001), ref: 6C85E8B6
PORT_Alloc_Util.NSS3(00000008,?,?,?,?,6C868C5B,-00000001), ref: 6C85E8D4
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C85E9D5

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Alloc_$K11_$GenerateLengthRandomfree$Item_ValueZfreemalloc
String ID:
API String ID: 1964932494-0
Opcode ID: 1bd4a35e3163f65c079b95279f0ea6ae81cf4c8128b5e3dacf353482de0df365
Instruction ID: 8a518b49e53162948cfaca5ba364d5562d8020ca1219c094988c23671aa9051d
Opcode Fuzzy Hash: 1bd4a35e3163f65c079b95279f0ea6ae81cf4c8128b5e3dacf353482de0df365
Instruction Fuzzy Hash: A981D7F09027155BFBF08B289F8176B75E89B0174CF604C36C85982E41FBB9E96487D2

Function 6C862D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C862DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C862E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C862E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C862E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C834F1C,?,-00000001,00000000,?), ref: 6C862E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C834F1C,?,-00000001,00000000), ref: 6C862E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C862EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C862EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C862EF8
PR_Unlock.NSS3(?), ref: 6C862F62
TlsGetValue.KERNEL32 ref: 6C862F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C862F9E
PR_Unlock.NSS3(?), ref: 6C862FCA
TlsGetValue.KERNEL32 ref: 6C86301A
EnterCriticalSection.KERNEL32(?), ref: 6C86302E
PR_Unlock.NSS3(?), ref: 6C863066
PR_SetError.NSS3(00000000,00000000), ref: 6C863085
PR_Unlock.NSS3(?), ref: 6C8630EC
TlsGetValue.KERNEL32 ref: 6C86310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C863124
PR_Unlock.NSS3(?), ref: 6C86314C

Part of subcall function 6C849180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C87379E,?,6C849568,00000000,?,6C87379E,?,00000001,?), ref: 6C84918D
Part of subcall function 6C849180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C87379E,?,6C849568,00000000,?,6C87379E,?,00000001,?), ref: 6C8491A0

Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB

PR_SetError.NSS3(00000000,00000000), ref: 6C86316D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: e80cb31d4d050188a25d054f2b64467e1eae47d7af089a70e5ba4f36ea140a48
Instruction ID: 9fa952e28352e6bcbc69f09bbba88dff7ae946869c7962bf84751449d4e75809
Opcode Fuzzy Hash: e80cb31d4d050188a25d054f2b64467e1eae47d7af089a70e5ba4f36ea140a48
Instruction Fuzzy Hash: DFF1EEB1D00208DFDF21DF69D984B9ABBB4BF0A318F144969EC04A7B11E731E985CB91

Function 6C880550 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 182stringCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_ALLOW_WEAK_SIGNATURE_ALG,00000002,00000000,?,6C865989), ref: 6C880571

Part of subcall function 6C811240: TlsGetValue.KERNEL32(00000040,?,6C81116C,NSPR_LOG_MODULES), ref: 6C811267
Part of subcall function 6C811240: EnterCriticalSection.KERNEL32(?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C81127C
Part of subcall function 6C811240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C811291
Part of subcall function 6C811240: PR_Unlock.NSS3(?,?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C8112A0

PR_GetEnvSecure.NSS3(NSS_HASH_ALG_SUPPORT,?,00000002,00000000,?,6C865989), ref: 6C8805B7
PORT_Strdup_Util.NSS3(00000000,?,?,00000002,00000000,?,6C865989), ref: 6C8805C8
strchr.VCRUNTIME140(00000000,0000003B,?,?,?,00000002,00000000,?,6C865989), ref: 6C8805EC
strstr.VCRUNTIME140(00000001,?), ref: 6C880653
free.MOZGLUE(?,?,?,?,00000002,00000000,?,6C865989), ref: 6C880681
PORT_NewArena_Util.NSS3(00000800,?,?,?,?,00000002,00000000,?,6C865989), ref: 6C8806AB
PL_NewHashTable.NSS3(00000000,6C87FE80,?,6C8CC350,00000000,00000000,?,?,?,?,?,00000002,00000000,?,6C865989), ref: 6C8806D5
PL_NewHashTable.NSS3(00000000,?,6C8CC350,6C8CC350,00000000,00000000), ref: 6C8806EC
PL_HashTableAdd.NSS3(?,6C94E618,6C94E618), ref: 6C88070F

Part of subcall function 6C7A2DF0: PL_HashTableRawAdd.NSS3(?,?,?,?,?), ref: 6C7A2E35

PL_HashTableAdd.NSS3(FFFFFFFF,6C94E618), ref: 6C880738
PL_HashTableAdd.NSS3(6C94E634,6C94E634), ref: 6C880752
PR_SetError.NSS3(FFFFE001,00000000,?,?,?,?,00000002,00000000,?,6C865989), ref: 6C880767

Strings

NSS_ALLOW_WEAK_SIGNATURE_ALG, xrefs: 6C88056C
flags, xrefs: 6C880555
V, xrefs: 6C880559
NSS_HASH_ALG_SUPPORT, xrefs: 6C8805B2
dynamic OID data, xrefs: 6C88068A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: HashTable$SecureUtil$Arena_CriticalEnterErrorSectionStrdup_UnlockValuefreegetenvstrchrstrstr
String ID: NSS_ALLOW_WEAK_SIGNATURE_ALG$NSS_HASH_ALG_SUPPORT$V$dynamic OID data$flags
API String ID: 514890423-4248967104
Opcode ID: 8ec0ff0b6c02fcbf8f3f982869934bffbd0d5df5d8ccc65f183c6b212e6744ca
Instruction ID: 19b40c95df3e066b7e7ef8088a18bdd7391c556e38d75ebc881207dd7b792952
Opcode Fuzzy Hash: 8ec0ff0b6c02fcbf8f3f982869934bffbd0d5df5d8ccc65f183c6b212e6744ca
Instruction Fuzzy Hash: 7851C3B1E076855AEB20DB758E09B573AE4AB83358F280D35D818D7F82F731D8058BA1

Function 6C866CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C866910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C866943
Part of subcall function 6C866910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C866957
Part of subcall function 6C866910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C866972
Part of subcall function 6C866910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C866983
Part of subcall function 6C866910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C8669AA
Part of subcall function 6C866910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C8669BE
Part of subcall function 6C866910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C8669D2
Part of subcall function 6C866910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C8669DF
Part of subcall function 6C866910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C866A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C866D8C
free.MOZGLUE(00000000), ref: 6C866DC5
free.MOZGLUE(?), ref: 6C866DD6
free.MOZGLUE(?), ref: 6C866DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C866E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C866E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C866E72
free.MOZGLUE(?), ref: 6C866EA7
free.MOZGLUE(?), ref: 6C866EC4
free.MOZGLUE(?), ref: 6C866ED5
free.MOZGLUE(00000000), ref: 6C866EE3
free.MOZGLUE(?), ref: 6C866EF4
free.MOZGLUE(?), ref: 6C866F08
free.MOZGLUE(00000000), ref: 6C866F35
free.MOZGLUE(?), ref: 6C866F44
free.MOZGLUE(?), ref: 6C866F5B
free.MOZGLUE(00000000), ref: 6C866F65

Part of subcall function 6C866C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C86781D,00000000,6C85BE2C,?,6C866B1D,?,?,?,?,00000000,00000000,6C86781D), ref: 6C866C40
Part of subcall function 6C866C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C86781D,?,6C85BE2C,?), ref: 6C866C58
Part of subcall function 6C866C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C86781D), ref: 6C866C6F
Part of subcall function 6C866C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C866C84
Part of subcall function 6C866C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C866C96
Part of subcall function 6C866C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C866CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C866F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C866FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C866FF4

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: 47a09c006da4eb8a897174718fc6080b4fdd1ce045ce10e0d84a0c8a6e4057d6
Instruction ID: b9387550c02003ca75ce569fd4cd2ea2095480fbab41472fad1a8f6a598c4fe9
Opcode Fuzzy Hash: 47a09c006da4eb8a897174718fc6080b4fdd1ce045ce10e0d84a0c8a6e4057d6
Instruction Fuzzy Hash: 91B198B0E012999FDF21CFA6DA45B9E7BB4BF05349F240925E815E7E00E731E914CBA1

Function 6C864C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C864C4C
EnterCriticalSection.KERNEL32(?), ref: 6C864C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C864CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C864CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C864CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C864D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C864D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C864DB7

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB

TlsGetValue.KERNEL32 ref: 6C864DD7
EnterCriticalSection.KERNEL32(?), ref: 6C864DEC
PR_Unlock.NSS3(?), ref: 6C864E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C864E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C864E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C864E71
free.MOZGLUE(00000000), ref: 6C864E7A
PR_Unlock.NSS3(?), ref: 6C864EA2
TlsGetValue.KERNEL32 ref: 6C864EC1
EnterCriticalSection.KERNEL32(?), ref: 6C864ED6
PR_Unlock.NSS3(?), ref: 6C864F01
free.MOZGLUE(00000000), ref: 6C864F2A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: 3a7917879bb4a2524463ee0a24b980ead41f147cccfcb0f4efbba4828e5fe083
Instruction ID: 0e6ec37fd5630bf34e23ae863d7b81293ea66579dec9d332278b41d2caa79b6e
Opcode Fuzzy Hash: 3a7917879bb4a2524463ee0a24b980ead41f147cccfcb0f4efbba4828e5fe083
Instruction Fuzzy Hash: E2B12071A04205DFDB21EF69D950AAE77B4BF86318F144928ED0597F01EB30E960CBE1

Function 6C8B6E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C8B6BF7), ref: 6C8B6EB6

Part of subcall function 6C811240: TlsGetValue.KERNEL32(00000040,?,6C81116C,NSPR_LOG_MODULES), ref: 6C811267
Part of subcall function 6C811240: EnterCriticalSection.KERNEL32(?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C81127C
Part of subcall function 6C811240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C811291
Part of subcall function 6C811240: PR_Unlock.NSS3(?,?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C8112A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C95FC0A,6C8B6BF7), ref: 6C8B6ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C8B6EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C8B6EFC
PR_NewLock.NSS3 ref: 6C8B6F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C8B6F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C8B6BF7), ref: 6C8B6F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C8B6BF7), ref: 6C8B6F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C8B6BF7), ref: 6C8B6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C8B6BF7), ref: 6C8B6FFD

Strings

# SSL/TLS secrets log file, generated by NSS, xrefs: 6C8B6EF7
NSS_SSL_CBC_RANDOM_IV, xrefs: 6C8B6FF8
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C8B6FDB
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C8B6F4F
SSLFORCELOCKS, xrefs: 6C8B6F2B
SSLKEYLOGFILE, xrefs: 6C8B6EB1

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: 05000e378d2b22a2dae9e2dc57ae06026aa53f26a842e3da030ef3ca21c2501b
Instruction ID: 9e757baa9b7ca7a51fa188d4c9d4dc99fcfa9a580b4e4d971dfb4ee3a61a9d7b
Opcode Fuzzy Hash: 05000e378d2b22a2dae9e2dc57ae06026aa53f26a842e3da030ef3ca21c2501b
Instruction Fuzzy Hash: 7AA106B2A5FB848AE730463CCE0135832A1AF97329FA84F69E835D7FD5DB35A4408251

Function 6C82C4B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C82C4D5

Part of subcall function 6C87BE30: SECOID_FindOID_Util.NSS3(6C83311B,00000000,?,6C83311B,?), ref: 6C87BE44

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C82C516
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C82C530
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C82C54E
NSS_GetAlgorithmPolicy.NSS3(00000000,00000000), ref: 6C82C5CB
VFY_VerifyDataWithAlgorithmID.NSS3(00000002,?,?,?,?,?,?), ref: 6C82C712
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C82C725
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C82C742
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C82C751
PL_FinishArenaPool.NSS3(?), ref: 6C82C77A
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C82C78F
NSS_GetAlgorithmPolicy.NSS3(?,00000000), ref: 6C82C7A9

Strings

security, xrefs: 6C82C63F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Algorithm$Policy$Util$ErrorTag_$ArenaDataFindFinishPoolVerifyWith
String ID: security
API String ID: 1085474831-3315324353
Opcode ID: 673122d32141d43c71a75dfa91ddb086fb35a768811b785e1d6e7341b99d1141
Instruction ID: 8af20cfdd4d469a9b5a8d59d2669cbcaf0479f26b5d1ee022b6d6c86e4b69d87
Opcode Fuzzy Hash: 673122d32141d43c71a75dfa91ddb086fb35a768811b785e1d6e7341b99d1141
Instruction Fuzzy Hash: DD81F871C01108AAFF30AA98DF88FFE7774AF0231CF144925DD15A6A53E725E989CAD1

Function 6C894500 Relevance: 28.8, APIs: 19, Instructions: 319threadCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(6C893803,?,6C893817,00000000), ref: 6C89450E

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

PR_SetError.NSS3(FFFFE005,00000000,?,6C893817,00000000), ref: 6C894550
SECOID_FindOIDByTag_Util.NSS3(00000004,00000000), ref: 6C8945B5
SECOID_FindOIDByTag_Util.NSS3(000000BF,00000000), ref: 6C894709
SECOID_GetAlgorithmTag_Util.NSS3(?,00000000), ref: 6C894727
SECOID_GetAlgorithmTag_Util.NSS3(?,?,00000000), ref: 6C89473B
PORT_NewArena_Util.NSS3(00000400,?,?,?,?,?,?,?,00000000), ref: 6C894801
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C952DA0,?,?,?,?,?,?,?,?,00000000), ref: 6C89482E
PR_GetCurrentThread.NSS3 ref: 6C8948F3
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C894923
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C894937
SECKEY_DestroyPublicKey.NSS3(?,?,?,00000000), ref: 6C89494E
PR_SetError.NSS3(FFFFE02F,00000000,?,?,?,00000000), ref: 6C894963
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C894984
VFY_VerifyDataWithAlgorithmID.NSS3(?,?,?,6C8921C2,?,?,?), ref: 6C89499C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8949B5
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,00000000), ref: 6C8949C5
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C8949DC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8949E9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Error$Arena_Tag_$AlgorithmFindFree$DestroyHashLookupPublicTable$ConstCurrentDataEncodeItem_ThreadVerifyWith
String ID:
API String ID: 3698863438-0
Opcode ID: a85ec08a0774fd334ff4faa082006e02e4b62840b11dcaceef5ac0c2f78edfe3
Instruction ID: f7449d5dd661ee4f2024fa7d58bf005f67571f9bf25918492b9e1159f384a08a
Opcode Fuzzy Hash: a85ec08a0774fd334ff4faa082006e02e4b62840b11dcaceef5ac0c2f78edfe3
Instruction Fuzzy Hash: 7EA11971E012186BEF308AACDE40BEE3765AFC531CF144934E925A7B91E731E844C791

Function 6C8107A0 Relevance: 28.7, APIs: 19, Instructions: 156COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB
InitializeCriticalSectionAndSpinCount.KERNEL32(00000040,000005DC,?,6C7A204A), ref: 6C81091F
GetLastError.KERNEL32(?,6C7A204A), ref: 6C81092A
free.MOZGLUE(00000000,?,?,6C7A204A), ref: 6C81093A
DeleteCriticalSection.KERNEL32(00000040,?,?,?,6C7A204A), ref: 6C810946
free.MOZGLUE(00000000,?,?,?,6C7A204A), ref: 6C81094D
free.MOZGLUE(?,?,?,6C7A204A), ref: 6C81095E
DeleteCriticalSection.KERNEL32(00000040,?,?,?,6C7A204A), ref: 6C81096B
free.MOZGLUE(00000000,?,?,?,6C7A204A), ref: 6C810972
EnterCriticalSection.KERNEL32(?,?,?,6C7A204A), ref: 6C81098D
_PR_MD_UNLOCK.NSS3(?), ref: 6C8109D0

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CriticalSectionfree$Deletecalloc$CountEnterErrorInitializeLastSpin
String ID:
API String ID: 4248343880-0
Opcode ID: a3ad26cf7c9df1e772d80cba13c5aceff567b3e3c9ab6c467e55dee2a8c5cd08
Instruction ID: cb3022de815e514937051e2cff97c1c704dc82ff552a337cd2d8f2d6035f1f64
Opcode Fuzzy Hash: a3ad26cf7c9df1e772d80cba13c5aceff567b3e3c9ab6c467e55dee2a8c5cd08
Instruction Fuzzy Hash: B751E17160A316DBEB219F39CD48B4A3BF8BF07344F280C28E45A87A41DB30E415CBA0

Function 6C878E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C878E01,00000000,6C879060,6C980B64), ref: 6C878E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C878E01,00000000,6C879060,6C980B64), ref: 6C878E9E
PORT_ArenaAlloc_Util.NSS3(6C980B64,00000001,?,?,?,?,6C878E01,00000000,6C879060,6C980B64), ref: 6C878EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C878E01,00000000,6C879060,6C980B64), ref: 6C878EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C878E01,00000000,6C879060,6C980B64), ref: 6C878ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C878E01,00000000,6C879060,6C980B64), ref: 6C878EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C878E01), ref: 6C878EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C980B64,6C980B64), ref: 6C878F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C878F3F

Part of subcall function 6C87A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C87A421,00000000,00000000,6C879826), ref: 6C87A136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C87904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C878E76

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: 835c4ef7df3254857d489e0da28be9a9465e5b890a91a4d3d56501715a01ff74
Instruction ID: 82ac84445888c27dea1b9582a4918b117d83a3f5b23fcaa41e0b3cb31d3bbeb3
Opcode Fuzzy Hash: 835c4ef7df3254857d489e0da28be9a9465e5b890a91a4d3d56501715a01ff74
Instruction Fuzzy Hash: C561BFB1D011199BDB20CF55CD84AAFB7B5EF94358F144928EC19A7740E732E915CBB0

Function 6C828E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C828E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C828E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C828EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C9518D0,?), ref: 6C828F03
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C828F19
PL_FreeArenaPool.NSS3(?), ref: 6C828F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C828F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C828F65
PL_FinishArenaPool.NSS3(?), ref: 6C828FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6C828FFE
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C829012
PL_FreeArenaPool.NSS3(?), ref: 6C829024
PL_FinishArenaPool.NSS3(?), ref: 6C82902C
PORT_DestroyCheapArena.NSS3(?), ref: 6C82903E

Strings

security, xrefs: 6C828EE7

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: 5f0e1b681f6cc5d9c758df1ec5477581d8b4c7182413b43c4792af75093f2349
Instruction ID: 92b666220209e2fe419237869e20a9439285baccd47f62433fd4ae3a9f3e3ebc
Opcode Fuzzy Hash: 5f0e1b681f6cc5d9c758df1ec5477581d8b4c7182413b43c4792af75093f2349
Instruction Fuzzy Hash: 34516CB6508300ABDB308A18DE48FAB73E8AF8575CF440C2EF95497B40E739D8488793

Function 6C8227F0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

CERT_GetCommonName.NSS3(?), ref: 6C822801
CERT_GetOrgUnitName.NSS3(?), ref: 6C822810
CERT_GetOrgName.NSS3(?), ref: 6C822821
PR_smprintf.NSS3(6C95AAF9,?), ref: 6C822869
PR_smprintf.NSS3(%s - %s #%d,00000000,?,00000002), ref: 6C82287D
PR_smprintf.NSS3(%s #%d,?,00000001), ref: 6C822890
CERT_FindCertByNickname.NSS3(?,00000000), ref: 6C8228A8
CERT_DestroyCertificate.NSS3(00000000), ref: 6C8228B5
free.MOZGLUE(00000000), ref: 6C8228BE
free.MOZGLUE(00000000), ref: 6C8228D2
free.MOZGLUE(?), ref: 6C8228E3
PORT_Strdup_Util.NSS3(Unknown CA), ref: 6C822905

Strings

%s - %s, xrefs: 6C822855
Unknown CA, xrefs: 6C822900
%s - %s #%d, xrefs: 6C822878

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: NameR_smprintffree$CertCertificateCommonDestroyFindNicknameStrdup_UnitUtil
String ID: %s - %s$%s - %s #%d$Unknown CA
API String ID: 778386754-45099391
Opcode ID: ffc313b4983c0c8f3c0d9bb363151f091b885d03a8e03d17a2a478ae86d9cf7f
Instruction ID: 759d390b8b986d86c0d6a035e1b0cbc0d53da326b03ea66226b95cbc13c855c9
Opcode Fuzzy Hash: ffc313b4983c0c8f3c0d9bb363151f091b885d03a8e03d17a2a478ae86d9cf7f
Instruction Fuzzy Hash: 33313AB6E1113667EF219AA95E4D99B366CFF0136CF080D30ED1992B01F72DD59882E3

Function 6C8ECD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C8ECC7B), ref: 6C8ECD7A

Part of subcall function 6C8ECE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C85C1A8,?), ref: 6C8ECE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C8ECDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C8ECDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C8ECDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C8ECD8E

Part of subcall function 6C8105C0: PR_EnterMonitor.NSS3 ref: 6C8105D1
Part of subcall function 6C8105C0: PR_ExitMonitor.NSS3 ref: 6C8105EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C8ECDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C8ECDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C8ECE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C8ECE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C8ECE48

Strings

ws2_32.dll, xrefs: 6C8ECD75
wship6.dll, xrefs: 6C8ECDE3
freeaddrinfo, xrefs: 6C8ECD9F, 6C8ECE10
getnameinfo, xrefs: 6C8ECDB2, 6C8ECE23
getaddrinfo, xrefs: 6C8ECD88, 6C8ECDF9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: ed12b88fae8d566f9580f9a83a8e602b2b932212e6d27e86223a19e860a7171d
Instruction ID: 131595731ac86a341ed32dadf45fa9384163a0a0c76a80edabae9af167259d36
Opcode Fuzzy Hash: ed12b88fae8d566f9580f9a83a8e602b2b932212e6d27e86223a19e860a7171d
Instruction Fuzzy Hash: 7C11E9A5F0711256DB21AE796E00AEA3DAC5B5710DF780D34E825E6F02FB21C52886E2

Function 6C864540 Relevance: 25.8, APIs: 17, Instructions: 349COMMON

Download Yara Rule

APIs

PK11_MakeIDFromPubKey.NSS3(00000000), ref: 6C864590
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C86471C
TlsGetValue.KERNEL32 ref: 6C86477C
EnterCriticalSection.KERNEL32(?), ref: 6C86479A
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C86484A
PK11_FreeSymKey.NSS3(?), ref: 6C864858
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C86486A
PR_Unlock.NSS3(?), ref: 6C86487E

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

PK11_FreeSymKey.NSS3(?), ref: 6C86488C
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C86489C
PK11_GetInternalSlot.NSS3 ref: 6C8648B2
PK11_UnwrapPrivKey.NSS3(00000000,00000130,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,6C847F9D), ref: 6C8648EC
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6C86492A
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C864949
PR_SetError.NSS3(00000000,00000000), ref: 6C864977
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C864987
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C86499B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Item_UtilZfree$K11_$CriticalErrorFreeSectionValue$DestroyEnterFromInternalLeaveMakePrivPrivateSlotUnlockUnwrap
String ID:
API String ID: 1673584487-0
Opcode ID: 2dd243a767d5b2f77d7ffade8be482dcc3890e8bf98cb5fb4296d3a01dd69356
Instruction ID: 4e3d3741ebd463dd79f61db38c82038fe2d16d45dc762ee37bafbeabae08f49f
Opcode Fuzzy Hash: 2dd243a767d5b2f77d7ffade8be482dcc3890e8bf98cb5fb4296d3a01dd69356
Instruction Fuzzy Hash: 1AE19F71D002199FDB21CF19CD54BAEBBB5AF84308F1089B9E809A7B51E7319A84CF90

Function 6C886CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C951DE0,?), ref: 6C886CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C886D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C886D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C886D82
DER_GetInteger_Util.NSS3(?), ref: 6C886DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C886DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C886E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C886F19
PK11_DigestBegin.NSS3(00000000), ref: 6C886F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C886F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C887011
PK11_FreeSymKey.NSS3(00000000), ref: 6C887033
free.MOZGLUE(?), ref: 6C88703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C887060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C887087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C8870AF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: d35614d87bfffd4157dfa45dc49ae88a92b95bf449b47f0b490e8867f8b138e6
Instruction ID: 28f281b6701fe64e187bc6882f9793a9546fc12af60f7eced189106d20f25cce
Opcode Fuzzy Hash: d35614d87bfffd4157dfa45dc49ae88a92b95bf449b47f0b490e8867f8b138e6
Instruction Fuzzy Hash: 30A1E7B192A2059BEB308B24DF45B6A72A5DB8130CF248D39E918CBF81E775D845C763

Function 6C8625D0 Relevance: 24.3, APIs: 16, Instructions: 284COMMON

Download Yara Rule

APIs

PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C83662E,?,?), ref: 6C86264E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C83662E,?,?), ref: 6C862670
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C83662E,?), ref: 6C862684
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8626C2
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C8626E0
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8626F4
PR_Unlock.NSS3(?), ref: 6C86274D
PR_SetError.NSS3(00000000,00000000), ref: 6C8628A9

Part of subcall function 6C873440: PK11_GetAllTokens.NSS3 ref: 6C873481
Part of subcall function 6C873440: PR_SetError.NSS3(00000000,00000000), ref: 6C8734A3
Part of subcall function 6C873440: TlsGetValue.KERNEL32 ref: 6C87352E
Part of subcall function 6C873440: EnterCriticalSection.KERNEL32(?), ref: 6C873542
Part of subcall function 6C873440: PR_Unlock.NSS3(?), ref: 6C87355B

PR_Unlock.NSS3(?), ref: 6C8627A1
PR_SetError.NSS3(FFFFE040,00000000,?,?,?,?,?,?,-00000001,?,?,?,6C83662E,?,?,?), ref: 6C8627B5
PR_Unlock.NSS3(?), ref: 6C8627CE
TlsGetValue.KERNEL32 ref: 6C8627E8
EnterCriticalSection.KERNEL32(0000001C), ref: 6C862800

Part of subcall function 6C86F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C86F854
Part of subcall function 6C86F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C86F868
Part of subcall function 6C86F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C86F882
Part of subcall function 6C86F820: free.MOZGLUE(04C483FF,?,?), ref: 6C86F889
Part of subcall function 6C86F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C86F8A4
Part of subcall function 6C86F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C86F8AB
Part of subcall function 6C86F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C86F8C9
Part of subcall function 6C86F820: free.MOZGLUE(280F10EC,?,?), ref: 6C86F8D0

PR_Unlock.NSS3(?), ref: 6C862834
TlsGetValue.KERNEL32 ref: 6C86284E
EnterCriticalSection.KERNEL32(0000001C), ref: 6C862866

Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CriticalSection$Unlock$Enterfree$DeleteError$K11_calloc$ImportPublicTokens
String ID:
API String ID: 544520609-0
Opcode ID: 398540d60991f673139b6d397c06c7ffa7522f8394caba02d35e32d8417e571c
Instruction ID: 43373c1c23b6004ff34af70b86adf370e572de1053a4cc83ff4053b628762c84
Opcode Fuzzy Hash: 398540d60991f673139b6d397c06c7ffa7522f8394caba02d35e32d8417e571c
Instruction Fuzzy Hash: 5FB1A1B0D04205DFDB21DF69DA88BAAB7B4FF09308F144969E905A7F01E735E944CBA1

Function 6C84AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C82AB95,00000000,?,00000000,00000000,00000000), ref: 6C84AF25
EnterCriticalSection.KERNEL32(?,?,?,?,6C82AB95,00000000,?,00000000,00000000,00000000), ref: 6C84AF39
PR_Unlock.NSS3(?,?,?,6C82AB95,00000000,?,00000000,00000000,00000000), ref: 6C84AF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C82AB95,00000000,?,00000000,00000000,00000000), ref: 6C84AF69
TlsGetValue.KERNEL32 ref: 6C84B06B
EnterCriticalSection.KERNEL32(?), ref: 6C84B083
PR_Unlock.NSS3(?), ref: 6C84B0A4
TlsGetValue.KERNEL32 ref: 6C84B0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6C84B0D9
PR_Unlock.NSS3 ref: 6C84B102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C84B151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C84B182

Part of subcall function 6C87FAB0: free.MOZGLUE(?,-00000001,?,?,6C81F673,00000000,00000000), ref: 6C87FAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C84B177

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C82AB95,00000000,?,00000000,00000000,00000000), ref: 6C84B1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6C82AB95,00000000,?,00000000,00000000,00000000), ref: 6C84B1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C82AB95,00000000,?,00000000,00000000,00000000), ref: 6C84B1C2

Part of subcall function 6C871560: TlsGetValue.KERNEL32(00000000,?,6C840844,?), ref: 6C87157A
Part of subcall function 6C871560: EnterCriticalSection.KERNEL32(?,?,?,6C840844,?), ref: 6C87158F
Part of subcall function 6C871560: PR_Unlock.NSS3(?,?,?,?,6C840844,?), ref: 6C8715B2

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: 159921c371ccbc58d5746dadef77223cacbff8aa5b73ae523dc61e0d913bc756
Instruction ID: 183110ed8481cac3cad71ee16eaf35d1fe8f64b64c36e494a34c6835f02a36f0
Opcode Fuzzy Hash: 159921c371ccbc58d5746dadef77223cacbff8aa5b73ae523dc61e0d913bc756
Instruction Fuzzy Hash: 28A1BFB1D006099BEF219FA8DD41AFEB7B4AF05308F148935E809AB611E731E955CBA1

Function 6C86E550 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C86E5A0

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

memcpy.VCRUNTIME140(?,?,?), ref: 6C86E5F2

Strings

0, xrefs: 6C86EA4D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorValuememcpy
String ID: 0
API String ID: 3044119603-4108050209
Opcode ID: 0b7c89060bfd7523e3a794c639218f902bed4df946e6c8f374e60f7d0df902db
Instruction ID: 4d4a0690d6d229d8d6572f18014c7279069333a5656c9fc40f6a734d8981e98e
Opcode Fuzzy Hash: 0b7c89060bfd7523e3a794c639218f902bed4df946e6c8f374e60f7d0df902db
Instruction Fuzzy Hash: F5F17DB19002299BDB318F25CD84BDAB7B5BF49308F1449A4E908A7B41E771EE94CFD0

Function 6C8FA4C0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8FA4E6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8FA4F9
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8FA553
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8FA5AC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8FA5F7
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8FA60C
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000110E1,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8FA633
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8FA671
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 6C8FA69A

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8FA61D, 6C8FA68B, 6C8FA6B3
%s at line %d of [%.10s], xrefs: 6C8FA62C
database corruption, xrefs: 6C8FA627

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: _byteswap_ulong$_byteswap_ushortsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2358773949-598938438
Opcode ID: 7aa1dc74cfca88a845bea8285ce4ecca013c46a90d8300ac700a8c76076519f3
Instruction ID: 08ceae2759e08194fb88fdaaefd243e951067fd5b945684c389edbe68971992e
Opcode Fuzzy Hash: 7aa1dc74cfca88a845bea8285ce4ecca013c46a90d8300ac700a8c76076519f3
Instruction Fuzzy Hash: 0A51E4B1908300ABDB11CF25D980B9E7BE0AF54368F048C2DF8998B651F735DD95CB92

Function 6C8245B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,6C821984,?), ref: 6C8245F2
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C8245FB

Part of subcall function 6C880840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8808B4

SECITEM_CompareItem_Util.NSS3(00000000,-00000001), ref: 6C82461E

Part of subcall function 6C87FCB0: memcmp.VCRUNTIME140(?,8B0B74C0,04C6831E,?,00000000,?,6C824101,00000000,?,?,?,6C821666,?,?), ref: 6C87FCF2

SECITEM_CopyItem_Util.NSS3(00000000,?,-00000019), ref: 6C824646
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C824662
PR_SetError.NSS3(FFFFE023,00000000), ref: 6C82467A
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C824691
PL_FreeArenaPool.NSS3 ref: 6C8246A3
PL_FinishArenaPool.NSS3 ref: 6C8246AB
free.MOZGLUE(?), ref: 6C8246BC
PORT_ZAlloc_Util.NSS3(?), ref: 6C8246E5
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C824717

Strings

security, xrefs: 6C8245EC

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$ArenaItem_Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_freememcmpmemcpy
String ID: security
API String ID: 3482804875-3315324353
Opcode ID: de9d7c504f8f688ab7dc463516dd38abf5b225bbd23e1741a126888856a5c71b
Instruction ID: c79c42178dbf01fbc9a749235fb6f10407dbe4e0fc235461b7765d92f90ef815
Opcode Fuzzy Hash: de9d7c504f8f688ab7dc463516dd38abf5b225bbd23e1741a126888856a5c71b
Instruction Fuzzy Hash: 3C4136B29053106BE7208B289D48F4B77D8AFC425CF140E38EC19A3B41F734E958C6E2

Function 6C89AD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C89ADB1

Part of subcall function 6C87BE30: SECOID_FindOID_Util.NSS3(6C83311B,00000000,?,6C83311B,?), ref: 6C87BE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C89ADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C89AE08

Part of subcall function 6C87B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9518D0,?), ref: 6C87B095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C89AE25
PL_FreeArenaPool.NSS3 ref: 6C89AE63
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C89AE4D

Part of subcall function 6C7A4C70: TlsGetValue.KERNEL32(?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4C97
Part of subcall function 6C7A4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4CB0
Part of subcall function 6C7A4C70: PR_Unlock.NSS3(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C89AE93
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C89AECC
PL_FreeArenaPool.NSS3 ref: 6C89AEDE
PL_FinishArenaPool.NSS3 ref: 6C89AEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C89AEF5
PL_FinishArenaPool.NSS3 ref: 6C89AF16

Strings

security, xrefs: 6C89ADEE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: 448e3dad53fc79eb81967c92a608ce141f00fa1df204d0b778bb25c23dd8ed15
Instruction ID: 7a17c510dceaba723bccd9b5fcf1d70d4f86384b5699e62f82916ee43d369967
Opcode Fuzzy Hash: 448e3dad53fc79eb81967c92a608ce141f00fa1df204d0b778bb25c23dd8ed15
Instruction Fuzzy Hash: A241F6B2D0521467E7319A1D9E49BFF32A4AF8271CF240D35E81597F41FB39960886E3

Function 6C838DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6C838E22
EnterCriticalSection.KERNEL32(?), ref: 6C838E36
memset.VCRUNTIME140(?,00000000,?), ref: 6C838E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6C838E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C838E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C838EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6C838EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C838EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6C838F00
free.MOZGLUE(?), ref: 6C838F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6C838F39
memset.VCRUNTIME140(?,00000000,?), ref: 6C838F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6C838F5B
PR_Unlock.NSS3(?), ref: 6C838F72
PR_Unlock.NSS3(?), ref: 6C838F82

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: c000c43ca760f5d0b6ae17e8f4cfb22dd85a3cb513962ecab3cee10f782d51ca
Instruction ID: 5c8cb42f9ea4ea415c8452a88b8bdcbe045ffd112e1c986c4b27fe31c8d4c147
Opcode Fuzzy Hash: c000c43ca760f5d0b6ae17e8f4cfb22dd85a3cb513962ecab3cee10f782d51ca
Instruction Fuzzy Hash: F9514BB2D002259FDB219FA8CD8496AB779EF55354B14692AEC0CDB740E731ED0487E1

Function 6C930FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON

Download Yara Rule

APIs

PR_Lock.NSS3(?), ref: 6C931000

Part of subcall function 6C8E9BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C811A48), ref: 6C8E9BB3
Part of subcall function 6C8E9BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C811A48), ref: 6C8E9BC8

PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C931016

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_Unlock.NSS3(?), ref: 6C931021

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C931046
PR_Unlock.NSS3(?), ref: 6C93106B
PR_Lock.NSS3 ref: 6C931079
PR_Unlock.NSS3 ref: 6C931096
free.MOZGLUE(?), ref: 6C9310A7
free.MOZGLUE(?), ref: 6C9310B4
PR_DestroyCondVar.NSS3(?), ref: 6C9310BF
PR_DestroyCondVar.NSS3(?), ref: 6C9310CA
PR_DestroyCondVar.NSS3(?), ref: 6C9310D5
PR_DestroyCondVar.NSS3(?), ref: 6C9310E0
PR_DestroyLock.NSS3(?), ref: 6C9310EB
free.MOZGLUE(?), ref: 6C931105

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
String ID:
API String ID: 8544004-0
Opcode ID: 32467ad595eb9280b6ef8a74899a7d0f935719e960b03a21a3a8d7cead99ed58
Instruction ID: 8e0da15aa389322a5ee355f8e465f886a59124784d8e6da7538f82f2345c67e6
Opcode Fuzzy Hash: 32467ad595eb9280b6ef8a74899a7d0f935719e960b03a21a3a8d7cead99ed58
Instruction Fuzzy Hash: A031BCF5A04412ABEB11AF18EE41A85B775FF02319B184531E80903F61E772F9B8DBC2

Function 6C86EDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C86EE0B

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C86EEE1

Part of subcall function 6C861D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C861D7E
Part of subcall function 6C861D50: EnterCriticalSection.KERNEL32(?), ref: 6C861D8E
Part of subcall function 6C861D50: PR_Unlock.NSS3(?), ref: 6C861DD3

TlsGetValue.KERNEL32 ref: 6C86EE51
EnterCriticalSection.KERNEL32(?), ref: 6C86EE65
PR_Unlock.NSS3(?), ref: 6C86EEA2
free.MOZGLUE(?), ref: 6C86EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C86EED0
PR_Unlock.NSS3(?), ref: 6C86EF48
free.MOZGLUE(?), ref: 6C86EF68
PR_SetError.NSS3(00000000,00000000), ref: 6C86EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C86EFA4
free.MOZGLUE(?), ref: 6C86EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C86F055
free.MOZGLUE(?), ref: 6C86F060

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: 7b48cf1d138fbc4b6ee2a47c2cbec5f0965006d275a2e42666fd40dfbd338315
Instruction ID: 9b3bf5783a4dfd96bd3ec545c08b845a5480c6a2a6e72032daafde8aed2b7b87
Opcode Fuzzy Hash: 7b48cf1d138fbc4b6ee2a47c2cbec5f0965006d275a2e42666fd40dfbd338315
Instruction Fuzzy Hash: 5C818271A00209ABDF11DFA9DD85BDE7BB5BF09318F144834E909A7B11E731E924CBA1

Function 6C834CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C834D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C834D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C834DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C834E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C834E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C834E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C834E85
DER_Encode_Util.NSS3(?,?,6C9805A4,00000000), ref: 6C834EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C834F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C834F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C834F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C834F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C834F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C834FC8

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: 33660ca2455fe01bcfae583d349e20ee5f575c84b040eb3be6425bc2dee6c7a7
Instruction ID: 1a1fff132969491708977932a4192c9ca03e3dd8ecd9d5e3c05c168b6cb2e877
Opcode Fuzzy Hash: 33660ca2455fe01bcfae583d349e20ee5f575c84b040eb3be6425bc2dee6c7a7
Instruction Fuzzy Hash: 148190719093119FE721CF68DE40B5ABBE4ABC4358F14AD29F95CCB641E732E9048BD2

Function 6C830470 Relevance: 21.2, APIs: 14, Instructions: 206timeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C8304B7

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C830539

Part of subcall function 6C881200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C881228
Part of subcall function 6C881200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C881238
Part of subcall function 6C881200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C88124B
Part of subcall function 6C881200: PR_CallOnce.NSS3(6C982AA4,6C8812D0,00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C88125D
Part of subcall function 6C881200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C88126F
Part of subcall function 6C881200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C881280
Part of subcall function 6C881200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C88128E
Part of subcall function 6C881200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C88129A
Part of subcall function 6C881200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C8812A1

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C83054A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C83056D
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8305CA
DER_GeneralizedTimeToTime_Util.NSS3(?,?), ref: 6C8305EA
PR_SetError.NSS3(FFFFE00C,00000000), ref: 6C8305FD
PR_SetError.NSS3(FFFFE07E,00000000), ref: 6C830621
PR_EnterMonitor.NSS3 ref: 6C83063E
PR_ExitMonitor.NSS3 ref: 6C830668
CERT_DestroyCertificate.NSS3(?), ref: 6C830697
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8306AC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8306CC
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8306DA

Part of subcall function 6C82E6B0: PORT_ArenaMark_Util.NSS3(00000000,?,00000000,?,?,6C8304DC,?,?), ref: 6C82E6C9
Part of subcall function 6C82E6B0: PORT_ArenaAlloc_Util.NSS3(00000000,00000088,?,?,00000000,?,?,6C8304DC,?,?), ref: 6C82E6D9
Part of subcall function 6C82E6B0: memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000000,?,?,6C8304DC,?,?), ref: 6C82E6F4
Part of subcall function 6C82E6B0: SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000,?,?,6C8304DC,?), ref: 6C82E703
Part of subcall function 6C82E6B0: CERT_FindCertIssuer.NSS3(?,?,6C8304DC,0000000B,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C82E71E

Part of subcall function 6C82F660: PR_EnterMonitor.NSS3(6C83050F,?,00000001,?,?,?), ref: 6C82F6A8
Part of subcall function 6C82F660: PR_Now.NSS3(?,?,?,00000001,?,?,?), ref: 6C82F6C1
Part of subcall function 6C82F660: PR_ExitMonitor.NSS3(?,?,?,00000001,?,?,?), ref: 6C82F7C8

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$ArenaArena_ErrorFree$Monitor$EnterPool$CriticalExitSectionfree$AlgorithmAlloc_CallCertCertificateClearDeleteDestroyFindGeneralizedInitIssuerLockMark_OnceTimeTime_UnlockValuecallocmemset
String ID:
API String ID: 2470852775-0
Opcode ID: 9f4d4f229cb8e447cc9181b58adf42bf60b4318529a9498b1858451511f36fb3
Instruction ID: 907ae5b38aaa2f50f3f84b4d24e94862b52772de49ab3eceed897b7ac5e82938
Opcode Fuzzy Hash: 9f4d4f229cb8e447cc9181b58adf42bf60b4318529a9498b1858451511f36fb3
Instruction Fuzzy Hash: E261F471B043519BDB20DEA8CE40B5B73E4AF84758F106D28F959A7791E730E908CBE2

Function 6C868F40 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C869582), ref: 6C868F5B

Part of subcall function 6C87BE30: SECOID_FindOID_Util.NSS3(6C83311B,00000000,?,6C83311B,?), ref: 6C87BE44

PORT_NewArena_Util.NSS3(00000800), ref: 6C868F6A

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C868FC3
PK11_GetIVLength.NSS3(-00000001), ref: 6C868FE0
SEC_ASN1DecodeItem_Util.NSS3(?,?,6C94D820,6C869576), ref: 6C868FF9
DER_GetInteger_Util.NSS3(?), ref: 6C86901D
PORT_ZAlloc_Util.NSS3(?), ref: 6C86903E
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C869062
memcpy.VCRUNTIME140(00000024,?,?), ref: 6C8690A2
PORT_ZAlloc_Util.NSS3(?), ref: 6C8690CA
memcpy.VCRUNTIME140(00000018,?,?), ref: 6C8690F0
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C86912D
free.MOZGLUE(00000000), ref: 6C869136
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C869145

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
String ID:
API String ID: 3626836424-0
Opcode ID: 7776620a5032f79c9e0c11ca12956fa16a0aaf97c2c6e90ffcf5a0080938429e
Instruction ID: 54385f231137fe6f832fa0f3c877ec9c66810ce326b19525fdff226a77e66b52
Opcode Fuzzy Hash: 7776620a5032f79c9e0c11ca12956fa16a0aaf97c2c6e90ffcf5a0080938429e
Instruction Fuzzy Hash: D351F2B2A043009BEB20CF29DD41B9BB7E4AF95318F154939E858C7B81E735E945CB92

Function 6C81AF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C81AF47

Part of subcall function 6C8E9090: TlsGetValue.KERNEL32 ref: 6C8E90AB
Part of subcall function 6C8E9090: TlsGetValue.KERNEL32 ref: 6C8E90C9
Part of subcall function 6C8E9090: EnterCriticalSection.KERNEL32 ref: 6C8E90E5
Part of subcall function 6C8E9090: TlsGetValue.KERNEL32 ref: 6C8E9116
Part of subcall function 6C8E9090: LeaveCriticalSection.KERNEL32 ref: 6C8E913F

FreeLibrary.KERNEL32(?), ref: 6C81AF6D
free.MOZGLUE(?), ref: 6C81AFA4
free.MOZGLUE(?), ref: 6C81AFAA
PR_ExitMonitor.NSS3 ref: 6C81AFB5
PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C81AFF5
PR_ExitMonitor.NSS3 ref: 6C81B005
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C81B014
PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C81B028
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C81B03C

Strings

Unloaded library %s, xrefs: 6C81B023
%s decr => %d, xrefs: 6C81AFF0

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
String ID: %s decr => %d$Unloaded library %s
API String ID: 4015679603-2877805755
Opcode ID: a30ede160aba7695b9709280c107c0c40636c8d08d6ae5a7fdf652218b103b70
Instruction ID: 96330d954458261b08825afe51bebab86a751adbaea3398a7474eb09d813537b
Opcode Fuzzy Hash: a30ede160aba7695b9709280c107c0c40636c8d08d6ae5a7fdf652218b103b70
Instruction Fuzzy Hash: FC31E5F5B0D112AFDB219F64DE44A95B7B5EB46308B244935E81597E40E332E82CC7E2

Function 6C878680 Relevance: 21.1, APIs: 14, Instructions: 91stringCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,6C8255D0,00000000,00000000), ref: 6C87868B
PR_NewLock.NSS3(00000000,00000000), ref: 6C8786A0

Part of subcall function 6C8E98D0: calloc.MOZGLUE(00000001,00000084,6C810936,00000001,?,6C81102C), ref: 6C8E98E5

PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 6C8786B2

Part of subcall function 6C80BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C8121BC), ref: 6C80BB8C

PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 6C8786C8

Part of subcall function 6C80BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C80BBEB
Part of subcall function 6C80BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C80BBFB
Part of subcall function 6C80BB80: GetLastError.KERNEL32 ref: 6C80BC03
Part of subcall function 6C80BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C80BC19
Part of subcall function 6C80BB80: free.MOZGLUE(00000000), ref: 6C80BC22

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 6C8786E2
malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 6C8786EC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 6C878700
DeleteCriticalSection.KERNEL32(-0000000C,?,?,00000000,00000000), ref: 6C87871F
free.MOZGLUE(00000000,?,?,00000000,00000000), ref: 6C878726
DeleteCriticalSection.KERNEL32(?,?,?,?,00000000,00000000), ref: 6C878743
free.MOZGLUE(?,?,?,?,00000000,00000000), ref: 6C87874A
DeleteCriticalSection.KERNEL32(-0000001C,?,00000000,00000000), ref: 6C878759
free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C878760
free.MOZGLUE(00000000,00000000,00000000), ref: 6C87876C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$CriticalSection$DeleteErrorcalloc$Cond$CountInitializeLastLockSpinmallocstrcpystrlen
String ID:
API String ID: 1802479574-0
Opcode ID: bbc8391c0bcddaee3ffa869eeae79ec35252a2d0d17ee1290a9bfa0a0b8c4d3a
Instruction ID: b17889ce96356cfeba7fd159f79caea51ad38295d7a6faf8590af86276477fd6
Opcode Fuzzy Hash: bbc8391c0bcddaee3ffa869eeae79ec35252a2d0d17ee1290a9bfa0a0b8c4d3a
Instruction Fuzzy Hash: 8121D6F5B012126BEF21AF798C0995B3AACAF42299B140934F82AD7B41FB35D414C7B1

Function 6C866C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C86781D,00000000,6C85BE2C,?,6C866B1D,?,?,?,?,00000000,00000000,6C86781D), ref: 6C866C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C86781D,?,6C85BE2C,?), ref: 6C866C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C86781D), ref: 6C866C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C866C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C866C96

Part of subcall function 6C811240: TlsGetValue.KERNEL32(00000040,?,6C81116C,NSPR_LOG_MODULES), ref: 6C811267
Part of subcall function 6C811240: EnterCriticalSection.KERNEL32(?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C81127C
Part of subcall function 6C811240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C811291
Part of subcall function 6C811240: PR_Unlock.NSS3(?,?,?,?,6C81116C,NSPR_LOG_MODULES), ref: 6C8112A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C866CAA

Strings

dbm, xrefs: 6C866CA4
extern:, xrefs: 6C866C7E
sql:, xrefs: 6C866C52
NSS_DEFAULT_DB_TYPE, xrefs: 6C866C91
rdb:, xrefs: 6C866C69
dbm:, xrefs: 6C866C3A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 6dbdc0eb39951f7405fbc135a73119edb9d8c977a3afcc83680fd86d872b04b1
Instruction ID: 6a4b1fd03cd102178a284079c68b59fb1f3433b0ae7375e183abe0e904841834
Opcode Fuzzy Hash: 6dbdc0eb39951f7405fbc135a73119edb9d8c977a3afcc83680fd86d872b04b1
Instruction Fuzzy Hash: 2A012BE170775123F7202B7B1E49F22314D9F8154CF280831FE08E0D81FBA2DA1440B5

Function 6C8725F0 Relevance: 19.9, APIs: 8, Strings: 5, Instructions: 403stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C87A0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C84A5DF,?,00000000,6C8228AD,00000000,?,6C84A5DF,?,object), ref: 6C87A0C0
Part of subcall function 6C87A0A0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C84A5DF,?,00000000,6C8228AD,00000000,?,6C84A5DF,?,object), ref: 6C87A0E8

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C872834
memcmp.VCRUNTIME140(00000000,00000020,00000020,?,?,?,?,?,?,?,?), ref: 6C87284B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C872A98
memcmp.VCRUNTIME140(00000000,?,00000020,?,?,?,?,?,?,?,?,?,?), ref: 6C872AAF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C872BDC
memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C872BF3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C872D23
memcmp.VCRUNTIME140(00000000,?,00000010,?,?,?,?,?,?,?,?,?), ref: 6C872D34

Strings

token, xrefs: 6C8725FA
model, xrefs: 6C872C06
, xrefs: 6C872A8E, 6C872AAB
manufacturer, xrefs: 6C87285E
serial, xrefs: 6C872AC2

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memcmpstrlen$strcmp
String ID: $manufacturer$model$serial$token
API String ID: 2407968032-2628435027
Opcode ID: a807a2e722691e9628cbac94f18899d9ce432cb66d6db296f2443ea102ad1b8e
Instruction ID: 35bfc2f7ef188865bce392d345b10126bcd8d8ba67d607cb85a0ed32e390715e
Opcode Fuzzy Hash: a807a2e722691e9628cbac94f18899d9ce432cb66d6db296f2443ea102ad1b8e
Instruction Fuzzy Hash: BC0203A1D0C3C9AEFB318322C98CBD92EE05B1931CF4D19F5C98D4BA93E2BD45959361

Function 6C908780 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 443COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,-00000001,-00000001,00000000,?,?,6C90849F,?,-00000001,-00000001,00000000,?,00000000,?,00000000), ref: 6C90884C
sqlite3_free.NSS3(?,?,?,?,?,?,-00000001,00000000,?,?,6C90849F,?,-00000001,-00000001,00000000,?), ref: 6C9088F1
memset.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,?,?,-00000001,00000000,?,?,6C90849F,?,-00000001), ref: 6C908929
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,-00000001,00000000,?,?,6C90849F,?), ref: 6C908B4C
sqlite3_free.NSS3(?,?,?,?,?,?,?,-00000001,00000000,?,?,6C90849F,?,-00000001,-00000001,00000000), ref: 6C908B7C
sqlite3_free.NSS3(0000000A,?,?,?,?,?,?,?,?,?,-00000001,00000000,?,?,6C90849F,?), ref: 6C908CCF

Strings

abort due to ROLLBACK, xrefs: 6C908B04
no more rows available, xrefs: 6C908B0E
another row available, xrefs: 6C908AB1
%s.xBestIndex malfunction, xrefs: 6C908AEC
unknown error, xrefs: 6C9088DD, 6C908B1B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_free$memset
String ID: %s.xBestIndex malfunction$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 2669552516-2256271834
Opcode ID: 18f51c777ccc38c020eac9f134b5f37f0222c4bdd08fe8cfa48c885fde8aea58
Instruction ID: a4dfd7baa521d62c5ae89c64bd7048de3f3f0fc60b66205d7e11951183b8ff2c
Opcode Fuzzy Hash: 18f51c777ccc38c020eac9f134b5f37f0222c4bdd08fe8cfa48c885fde8aea58
Instruction Fuzzy Hash: 3502CFB1B00615CFDB18CF58C4806AAB7F6FF48314F24466ED866ABB51D731E892CB94

Function 6C874E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6C8378F8), ref: 6C874E6D

Part of subcall function 6C8109E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C8106A2,00000000,?), ref: 6C8109F8
Part of subcall function 6C8109E0: malloc.MOZGLUE(0000001F), ref: 6C810A18
Part of subcall function 6C8109E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C810A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C8378F8), ref: 6C874ED9

Part of subcall function 6C865920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C867703,?,00000000,00000000), ref: 6C865942
Part of subcall function 6C865920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C867703), ref: 6C865954
Part of subcall function 6C865920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C86596A
Part of subcall function 6C865920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C865984
Part of subcall function 6C865920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C865999
Part of subcall function 6C865920: free.MOZGLUE(00000000), ref: 6C8659BA
Part of subcall function 6C865920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C8659D3
Part of subcall function 6C865920: free.MOZGLUE(00000000), ref: 6C8659F5
Part of subcall function 6C865920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C865A0A
Part of subcall function 6C865920: free.MOZGLUE(00000000), ref: 6C865A2E
Part of subcall function 6C865920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C865A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874EB3

Part of subcall function 6C874820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C874EB8,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C87484C
Part of subcall function 6C874820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C874EB8,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C87486D
Part of subcall function 6C874820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C874EB8,?), ref: 6C874884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874EC0

Part of subcall function 6C874470: TlsGetValue.KERNEL32(00000000,?,6C837296,00000000), ref: 6C874487
Part of subcall function 6C874470: EnterCriticalSection.KERNEL32(?,?,?,6C837296,00000000), ref: 6C8744A0
Part of subcall function 6C874470: PR_Unlock.NSS3(?,?,?,?,6C837296,00000000), ref: 6C8744BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C874F8F
PK11_UpdateSlotAttribute.NSS3(?,6C94DCB0,00000000), ref: 6C874FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6C87501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C8378F8), ref: 6C87506B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: 68ce8fc3ad31f11d42a857041814436cca613982f81d7bf9f6b45258af6ea2c2
Instruction ID: 41170d2f6632f90453571665933b358b3b5e5be04d3319766f2409103fa021ef
Opcode Fuzzy Hash: 68ce8fc3ad31f11d42a857041814436cca613982f81d7bf9f6b45258af6ea2c2
Instruction Fuzzy Hash: 0D51E4B19056059BDB319F28EE45A9F36B4EF4631CF180D35E80A96A11FB31D5248AF2

Function 6C81ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C81ACE2
malloc.MOZGLUE(00000001), ref: 6C81ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C81AD02
TlsGetValue.KERNEL32 ref: 6C81AD3C
calloc.MOZGLUE(00000001,?), ref: 6C81AD8C
PR_Unlock.NSS3 ref: 6C81ADC0
free.MOZGLUE(00000000), ref: 6C81AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C81AE58
free.MOZGLUE(00000000), ref: 6C81AE69
free.MOZGLUE(?), ref: 6C81AE78
PR_Unlock.NSS3 ref: 6C81AE8C
free.MOZGLUE(?), ref: 6C81AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C81AEC7

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 621e657ffde21fb4c0ee847e240a073153b75ad00e4a8349766c9dd61bffb849
Instruction ID: 3c28b9d17d7f2cd9fd187ec87de1370d733a29accca1b2b46c6e2d6d86bf0e26
Opcode Fuzzy Hash: 621e657ffde21fb4c0ee847e240a073153b75ad00e4a8349766c9dd61bffb849
Instruction Fuzzy Hash: 9951B5B0E0A1168BDF21DF58CA416AE77F4BB0734AF240925D815A7F00D331E958CBE2

Function 6C8F4C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C8F4CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C8F4CFD
sqlite3_value_text16.NSS3(?), ref: 6C8F4D44

Strings

bad parameter or other API misuse, xrefs: 6C8F4D05
invalid, xrefs: 6C8F4CF1
abort due to ROLLBACK, xrefs: 6C8F4D27, 6C8F4D33
no more rows available, xrefs: 6C8F4D2E
another row available, xrefs: 6C8F4D20
unknown error, xrefs: 6C8F4D56
out of memory, xrefs: 6C8F4C78, 6C8F4C9E
API call with %s database connection pointer, xrefs: 6C8F4CF6

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: 50feb140a077ad1d8279ffa553f38ea1cae569c2be9c96f4523d95642260990e
Instruction ID: e405776cbc27cfcf287e308b912ff359237b2692aaca725af5b4b4d8e51354bb
Opcode Fuzzy Hash: 50feb140a077ad1d8279ffa553f38ea1cae569c2be9c96f4523d95642260990e
Instruction Fuzzy Hash: F2317772A08911A7E73856249B217A573627BC2399F261D27C8384BE54CB35EC2383F2

Function 6C7C2450 Relevance: 19.2, APIs: 15, Instructions: 440COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C7C24BA
LeaveCriticalSection.KERNEL32(?), ref: 6C7C250D
EnterCriticalSection.KERNEL32(?), ref: 6C7C2554
LeaveCriticalSection.KERNEL32(?), ref: 6C7C25A7
EnterCriticalSection.KERNEL32(?), ref: 6C7C2609
LeaveCriticalSection.KERNEL32(?), ref: 6C7C265F
EnterCriticalSection.KERNEL32(?), ref: 6C7C26A2
LeaveCriticalSection.KERNEL32(?), ref: 6C7C26F5
EnterCriticalSection.KERNEL32(?), ref: 6C7C2764
LeaveCriticalSection.KERNEL32(?), ref: 6C7C2898
EnterCriticalSection.KERNEL32(?), ref: 6C7C28D0
EnterCriticalSection.KERNEL32(?), ref: 6C7C2948
LeaveCriticalSection.KERNEL32(?), ref: 6C7C299B
EnterCriticalSection.KERNEL32(?), ref: 6C7C29E2
LeaveCriticalSection.KERNEL32(?), ref: 6C7C2A31

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: dca2c64172149e86303b2bf88607d53f3957fc4fc7acedeefa84e0e75f5a80b9
Instruction ID: 30a582fdcd3c54575fec8c81b096ff155641e76b8f8c28a13abcc873ecd6a2a4
Opcode Fuzzy Hash: dca2c64172149e86303b2bf88607d53f3957fc4fc7acedeefa84e0e75f5a80b9
Instruction Fuzzy Hash: 35F18F31B0F121CFDB059F60EA9DAAA3774BF47314B38152DE91697A00DB399941CBA3

Function 6C82A7B0 Relevance: 18.3, APIs: 12, Instructions: 340timeCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C82A7F9
EnterCriticalSection.KERNEL32(?), ref: 6C82A810
PR_Unlock.NSS3 ref: 6C82A828
CERT_IsUserCert.NSS3(?), ref: 6C82A83E
CERT_GetFirstEmailAddress.NSS3(?), ref: 6C82A865
DER_UTCTimeToTime_Util.NSS3(?,?), ref: 6C82A9F2

Part of subcall function 6C8771B0: PR_SetError.NSS3(FFFFE008,00000000), ref: 6C8771E9

DER_UTCTimeToTime_Util.NSS3(?,?), ref: 6C82AA21
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C82AAF9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C82AB14
CERT_GetNextEmailAddress.NSS3(?,?), ref: 6C82AB4D
PK11_GetInternalKeySlot.NSS3 ref: 6C82AB7E
PK11_ImportCert.NSS3(00000000,?,00000000,00000000,00000000), ref: 6C82AB90

Part of subcall function 6C860FE0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C861057
Part of subcall function 6C860FE0: free.MOZGLUE(?), ref: 6C8611A6
Part of subcall function 6C860FE0: PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8611D3
Part of subcall function 6C860FE0: PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8611F3

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$AddressAlloc_CertEmailItem_K11_TimeTime_Zfree$CriticalEnterErrorFirstImportInternalNextSectionSlotUnlockUserValuefreestrlen
String ID:
API String ID: 483008407-0
Opcode ID: eab8360fc700ca33663b33ae0f504aab61841fb4e4448b298a7d627f7628791b
Instruction ID: 37567bb7c7e492e8c9827550b4a8950247c3ee91984f3bfa85f7268b1325d47a
Opcode Fuzzy Hash: eab8360fc700ca33663b33ae0f504aab61841fb4e4448b298a7d627f7628791b
Instruction Fuzzy Hash: 2DC18171A09301AFD710CF29CA44AABB7E9AF84708F154D2DE899C7711E735D984CBD2

Function 6C8F2D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C8F2D9F

Part of subcall function 6C7ACA30: EnterCriticalSection.KERNEL32(?,?,?,6C80F9C9,?,6C80F4DA,6C80F9C9,?,?,6C7D369A), ref: 6C7ACA7A
Part of subcall function 6C7ACA30: LeaveCriticalSection.KERNEL32(?), ref: 6C7ACB26

sqlite3_exec.NSS3(?,?,6C8F2F70,?,?), ref: 6C8F2DF9
sqlite3_free.NSS3(00000000), ref: 6C8F2E2C
sqlite3_free.NSS3(?), ref: 6C8F2E3A
sqlite3_free.NSS3(?), ref: 6C8F2E52
sqlite3_mprintf.NSS3(6C95AAF9,?), ref: 6C8F2E62
sqlite3_free.NSS3(?), ref: 6C8F2E70
sqlite3_free.NSS3(?), ref: 6C8F2E89
sqlite3_free.NSS3(?), ref: 6C8F2EBB
sqlite3_free.NSS3(?), ref: 6C8F2ECB
sqlite3_free.NSS3(00000000), ref: 6C8F2F3E
sqlite3_free.NSS3(?), ref: 6C8F2F4C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: 47a3b3299609d31c5ca4717c0e895f9f7ba0dc3578d83112ee5398bfe6046ce1
Instruction ID: ecbc21b71e80dc3b3deff1e2e609244d7275a3b73989f2f2d6ae42107944a328
Opcode Fuzzy Hash: 47a3b3299609d31c5ca4717c0e895f9f7ba0dc3578d83112ee5398bfe6046ce1
Instruction Fuzzy Hash: 5761D7B5E052459BEB20DFA8D9887DE77B5FF48388F204424DC25A7701E739E856CBA0

Function 6C842C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C843F23,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C62
EnterCriticalSection.KERNEL32(0000001C,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C76
PL_HashTableLookup.NSS3(00000000,?,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C93

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23), ref: 6C842CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C83E477,?,?,?,00000001,00000000,?), ref: 6C842CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C83E477,?,?,?,00000001,00000000,?), ref: 6C842D4D
EnterCriticalSection.KERNEL32(?), ref: 6C842D61
PL_HashTableLookup.NSS3(?,?), ref: 6C842D71
PR_Unlock.NSS3(?), ref: 6C842D7E

Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: a18407e842b634c2e7b8f271bab893a3ed9b654be9a9851dc410c1493eeb0211
Instruction ID: 700c057fa1391518feb01b8d9da4b65dc8d5eb77ca5515b84b8bfb0741f4558a
Opcode Fuzzy Hash: a18407e842b634c2e7b8f271bab893a3ed9b654be9a9851dc410c1493eeb0211
Instruction Fuzzy Hash: 355106B6D04219ABDB219F28DD449AA77B4BF09358B148D30EC18D7B12FB31E964C7E1

Function 6C7A4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4D97
PR_Lock.NSS3(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4DBA
PR_WaitCondVar.NSS3 ref: 6C7A4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4DEF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: bce2f0daed359b555ff8004f2da691ea8c40fb89f00f2b41ce9de08a2bf2dcdb
Instruction ID: 9ad49d264b1fedc8ecbfae56927d56983e46b6212e2b540d596ced2b4f1df7a4
Opcode Fuzzy Hash: bce2f0daed359b555ff8004f2da691ea8c40fb89f00f2b41ce9de08a2bf2dcdb
Instruction Fuzzy Hash: 7641AEB1A0A611CFCB10AFBCD688159BBF4BF06314F154B79D8989B704EB31D885CB81

Function 6C810600 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 6C810623
GetLastError.KERNEL32(?,?,?,?,?,6C8105E2), ref: 6C810642
TlsGetValue.KERNEL32(?,?,?,?,?,6C8105E2), ref: 6C81065D
GetLastError.KERNEL32 ref: 6C810678
PR_snprintf.NSS3(?,00000014,error %d,00000000), ref: 6C81068A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C810693
PR_SetErrorText.NSS3(00000000,?), ref: 6C81069D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,3A2AAD3E,?,?,?,?,?,6C8105E2), ref: 6C8106CA
PR_SetError.NSS3(FFFFE8A9,00000000,?,?,?,?,?,6C8105E2), ref: 6C8106E6

Strings

error %d, xrefs: 6C810682

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$Last$AddressProcR_snprintfTextValuestrcmpstrlen
String ID: error %d
API String ID: 4000364758-2147592115
Opcode ID: a2c519d0bcfe04ee542a0dd39ba1169d640f4defa184f16f4044fafa8f486c2d
Instruction ID: 2f5af053ef7039d382d99575f7efc223e79adec612ec907f26445b8beb8aac9f
Opcode Fuzzy Hash: a2c519d0bcfe04ee542a0dd39ba1169d640f4defa184f16f4044fafa8f486c2d
Instruction Fuzzy Hash: 16213771A0D2969BD7206B3D9E04A6A77F4AF8230DF240C24E80897F51EB31D924C6A1

Function 6C86ECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C86DE64), ref: 6C86ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C86ED22

Part of subcall function 6C87B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9518D0,?), ref: 6C87B095

PL_FreeArenaPool.NSS3(?), ref: 6C86ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C86ED6B
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C86ED38

Part of subcall function 6C7A4C70: TlsGetValue.KERNEL32(?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4C97
Part of subcall function 6C7A4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4CB0
Part of subcall function 6C7A4C70: PR_Unlock.NSS3(?,?,?,?,?,6C7A3921,6C9814E4,6C8ECC70), ref: 6C7A4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C86ED52
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C86ED83
PL_FreeArenaPool.NSS3(?), ref: 6C86ED95
PL_FinishArenaPool.NSS3(?), ref: 6C86ED9D

Part of subcall function 6C8864F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C88127C,00000000,00000000,00000000), ref: 6C88650E

Strings

security, xrefs: 6C86ED06

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: 1b12c37345443b604a7f73d8345e44240f6c389e752e606a5e55ba8447b42010
Instruction ID: a7008f29d0844c67db110d6b3a85e598fb3363ef5c911ec16dc428d40544e0f3
Opcode Fuzzy Hash: 1b12c37345443b604a7f73d8345e44240f6c389e752e606a5e55ba8447b42010
Instruction Fuzzy Hash: 4C112B759022186BDB30966EEE84FBF7278AF4260DF040D34E81563E81FB35A50C97E6

Function 6C930EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6C812357), ref: 6C930EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C812357), ref: 6C930EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C930EE6

Part of subcall function 6C9309D0: PR_Now.NSS3 ref: 6C930A22
Part of subcall function 6C9309D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C930A35
Part of subcall function 6C9309D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C930A66
Part of subcall function 6C9309D0: PR_GetCurrentThread.NSS3 ref: 6C930A70
Part of subcall function 6C9309D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C930A9D
Part of subcall function 6C9309D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C930AC8
Part of subcall function 6C9309D0: PR_vsmprintf.NSS3(?,?), ref: 6C930AE8
Part of subcall function 6C9309D0: EnterCriticalSection.KERNEL32(?), ref: 6C930B19
Part of subcall function 6C9309D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C930B48
Part of subcall function 6C9309D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C930C76
Part of subcall function 6C9309D0: PR_LogFlush.NSS3 ref: 6C930C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C930EFA

Part of subcall function 6C81AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C81AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F2B

Strings

Aborting, xrefs: 6C930EB3
Assertion failure: %s, at %s:%d, xrefs: 6C930ED9, 6C930EE5, 6C930F06, 6C930F0B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: 9fa240539202c070ac30c42e44cad8e38e3903c4cc99e243550b927f136ea8e9
Instruction ID: 72d716c7701aa7715fe2bd1776773d4a49fd7d21f7574c7857ebcd8098981ecb
Opcode Fuzzy Hash: 9fa240539202c070ac30c42e44cad8e38e3903c4cc99e243550b927f136ea8e9
Instruction Fuzzy Hash: 39F0AFF59002247BEB027B61DD4AC9B3E2DDF96268F004424FD0956602DA36E92497B2

Function 6C894DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C894DCB

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C894DE1

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C894DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C894E59

Part of subcall function 6C87FAB0: free.MOZGLUE(?,-00000001,?,?,6C81F673,00000000,00000000), ref: 6C87FAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C95300C,00000000), ref: 6C894EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C894EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C894F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C89521A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: 4854d1ae269b1d946559cece252c6cc7321a664ce67e74cdd921957fd40a4a6b
Instruction ID: f03e502b91a1610c37a6abfdada314da23bc3896c8e2750817f7da862e74cafb
Opcode Fuzzy Hash: 4854d1ae269b1d946559cece252c6cc7321a664ce67e74cdd921957fd40a4a6b
Instruction Fuzzy Hash: 2BF19D71E0120ACFDB14CF58DA407AEB7B2FF84319F254629E915AB780E735E981CB90

Function 6C890C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C892C2A), ref: 6C890C81

Part of subcall function 6C87BE30: SECOID_FindOID_Util.NSS3(6C83311B,00000000,?,6C83311B,?), ref: 6C87BE44

Part of subcall function 6C868500: SECOID_GetAlgorithmTag_Util.NSS3(6C8695DC,00000000,00000000,00000000,?,6C8695DC,00000000,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C868517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C890CC4

Part of subcall function 6C87FAB0: free.MOZGLUE(?,-00000001,?,?,6C81F673,00000000,00000000), ref: 6C87FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C890CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C890D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C890D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C890D7D
free.MOZGLUE(00000000), ref: 6C890DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C890DC1
free.MOZGLUE(00000000), ref: 6C890DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C890E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C890E0F

Part of subcall function 6C8695C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C8695E0
Part of subcall function 6C8695C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C8695F5
Part of subcall function 6C8695C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C869609
Part of subcall function 6C8695C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C86961D
Part of subcall function 6C8695C0: PK11_GetInternalSlot.NSS3 ref: 6C86970B
Part of subcall function 6C8695C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C869756
Part of subcall function 6C8695C0: PK11_GetIVLength.NSS3(?), ref: 6C869767
Part of subcall function 6C8695C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C86977E
Part of subcall function 6C8695C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C86978E

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: 091e1661c179b444ec11d51ed7dc8d100595fa8cb3b8c85ed5be1e7c55fd69ce
Instruction ID: cac43400fd681dd03e91b4a1ce42d217a449d70599dcd09cb49df1f9fc05c85a
Opcode Fuzzy Hash: 091e1661c179b444ec11d51ed7dc8d100595fa8cb3b8c85ed5be1e7c55fd69ce
Instruction Fuzzy Hash: C04104B1901219ABEB209F69DE41BAF7678AF0430DF100934E91557B52F735EA18CBF2

Function 6C824FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000001,00000000,6C970148,?,6C836FEC), ref: 6C82502A
PR_NewLock.NSS3(00000001,00000000,6C970148,?,6C836FEC), ref: 6C825034
PL_NewHashTable.NSS3(00000000,6C87FE80,6C87FD30,6C8CC350,00000000,00000000,00000001,00000000,6C970148,?,6C836FEC), ref: 6C825055
PL_NewHashTable.NSS3(00000000,6C87FE80,6C87FD30,6C8CC350,00000000,00000000,?,00000001,00000000,6C970148,?,6C836FEC), ref: 6C82506D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: HashLockTable
String ID:
API String ID: 3862423791-0
Opcode ID: 0e2b9526e4bf7b6f22ea4d7c48165ad495846669052198132f3ac6336f674681
Instruction ID: cb51308c0e6b17017d3d93644a312d1fc4f2a32b73e413f719c64c53ca723f63
Opcode Fuzzy Hash: 0e2b9526e4bf7b6f22ea4d7c48165ad495846669052198132f3ac6336f674681
Instruction Fuzzy Hash: 5831D7B1B4FB209BDB209A658E4CB5777B89B13708F314D24EA05C7644D3788644CBE1

Function 6C7C2E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7C2F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6C7C2FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6C7C3005
memcpy.VCRUNTIME140(?,?,?), ref: 6C7C30EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7C3131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7C3178

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7C3022, 6C7C3156, 6C7C3162, 6C7C318A, 6C7C3196, 6C7C31A2, 6C7C31AE, 6C7C31BA, 6C7C31C6
%s at line %d of [%.10s], xrefs: 6C7C3171
database corruption, xrefs: 6C7C316C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: 15a49cdfb9b380b6fd900c6d14d4a259ea1da669628af78f42cd08cf15f7a630
Instruction ID: 92b25d535e573223171836a1b7da8c8511a26a8d8635b427d777161f32900f75
Opcode Fuzzy Hash: 15a49cdfb9b380b6fd900c6d14d4a259ea1da669628af78f42cd08cf15f7a630
Instruction Fuzzy Hash: 0FB1ADB0F0561A9FDB08CF9DC984AEEB7B2BF48304F144029E849B7B45D774A945CBA1

Function 6C7A2400 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 125COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,bind on a busy prepared statement: [%s],?), ref: 6C7A24EC
sqlite3_log.NSS3(00000015,API called with NULL prepared statement,?,?,?,?,?,6C7A2315), ref: 6C7A254F
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000151C9,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,6C7A2315), ref: 6C7A256C

Strings

bind on a busy prepared statement: [%s], xrefs: 6C7A24E6
API called with finalized prepared statement, xrefs: 6C7A2543, 6C7A254D
API called with NULL prepared statement, xrefs: 6C7A253C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7A24F4, 6C7A2557
%s at line %d of [%.10s], xrefs: 6C7A2566
misuse, xrefs: 6C7A2561

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$misuse
API String ID: 632333372-2222229625
Opcode ID: 9dcfcae73f7ec5fa9f1a973593bf2ecc4f570bd4642309de0526023b81cea07e
Instruction ID: 84259765612980357c5176d6bc8eb12b810bece0dc88dbddd84baae3f3c66a93
Opcode Fuzzy Hash: 9dcfcae73f7ec5fa9f1a973593bf2ecc4f570bd4642309de0526023b81cea07e
Instruction Fuzzy Hash: A2410371604600CFE7148F9AD99CBA777A6BF82318F250A7CE8194FB40DB36E8168791

Function 6C7A6600 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,NULL), ref: 6C7A6C66
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0001F490,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7A6C83

Strings

unopened, xrefs: 6C7A6C9F
invalid, xrefs: 6C7A6C95
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7A6C6E
%s at line %d of [%.10s], xrefs: 6C7A6C7D
NULL, xrefs: 6C7A6C55, 6C7A6C5F
misuse, xrefs: 6C7A6C78
API call with %s database connection pointer, xrefs: 6C7A6C60

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 632333372-4248800309
Opcode ID: 51a9ff7c27a962d8a0bb978c664b4eae03b2e873ce9139c7fb87352c0d310168
Instruction ID: b60353433cc808b8cc68e0b5856f544c3a9a1b7cb3e0816e862f9b5c9131ddec
Opcode Fuzzy Hash: 51a9ff7c27a962d8a0bb978c664b4eae03b2e873ce9139c7fb87352c0d310168
Instruction Fuzzy Hash: 61318072B042049BEB00CEAD8E557AB3BB5EB85318F154338DD18DBB84E731EA4683D1

Function 6C820F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C820F62
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C820F84

Part of subcall function 6C87B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9518D0,?), ref: 6C87B095

SEC_QuickDERDecodeItem_Util.NSS3(?,6C83F59B,6C94890C,?), ref: 6C820FA8
PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C820FC1

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C820FDB
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C820FEF
PL_FreeArenaPool.NSS3(?), ref: 6C821001
PL_FinishArenaPool.NSS3(?), ref: 6C821009

Strings

security, xrefs: 6C820F5C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
String ID: security
API String ID: 2061345354-3315324353
Opcode ID: 40766abd89bd585c8aef27e541cbaec6251d4ce8037d774d5ac49ee0736fcd9b
Instruction ID: 4cde17d00c24aeb3bd0ffe133808d8540ad02f0dbf095efaaf653e42aec34bcb
Opcode Fuzzy Hash: 40766abd89bd585c8aef27e541cbaec6251d4ce8037d774d5ac49ee0736fcd9b
Instruction Fuzzy Hash: 2A213671904204ABE7209F28DE44AAFB7B4EF8565CF108928FC1897642FB31D945CBE2

Function 6C826DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C827D8F,6C827D8F,?,?), ref: 6C826DC8

Part of subcall function 6C87FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C87FE08
Part of subcall function 6C87FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C87FE1D
Part of subcall function 6C87FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C87FE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C827D8F,?,?), ref: 6C826DD5

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C948FA0,00000000,?,?,?,?,6C827D8F,?,?), ref: 6C826DF7

Part of subcall function 6C87B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9518D0,?), ref: 6C87B095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C826E35

Part of subcall function 6C87FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C87FE29
Part of subcall function 6C87FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C87FE3D
Part of subcall function 6C87FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C87FE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C826E4C

Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C948FE0,00000000), ref: 6C826E82

Part of subcall function 6C826AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C82B21D,00000000,00000000,6C82B219,?,6C826BFB,00000000,?,00000000,00000000,?,?,?,6C82B21D), ref: 6C826B01
Part of subcall function 6C826AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C826B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C826F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C826F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C948FE0,00000000), ref: 6C826F6B
PR_SetError.NSS3(FFFFE005,00000000,6C827D8F,?,?), ref: 6C826FE1

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: 3a2a02f941cbf90861a38c81cb2b427956f930eabe76f927bed947aa816f5e98
Instruction ID: 1183eec4e61ec1166653a8c91976f28bb9abef7a0ae90bd89df775783dd5c4c0
Opcode Fuzzy Hash: 3a2a02f941cbf90861a38c81cb2b427956f930eabe76f927bed947aa816f5e98
Instruction Fuzzy Hash: 23718F71D102469BEB20CF19CE44BAABBA4BF94308F154629E818D7B51F774EAD4CBD0

Function 6C860FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C861057
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C861085
PK11_GetAllTokens.NSS3 ref: 6C8610B1
free.MOZGLUE(?), ref: 6C861107
PR_SetError.NSS3(00000000,00000000), ref: 6C861172
free.MOZGLUE(?), ref: 6C861182
free.MOZGLUE(?), ref: 6C8611A6
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C8611C5

Part of subcall function 6C8652C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6C83EAC5,00000001), ref: 6C8652DF
Part of subcall function 6C8652C0: EnterCriticalSection.KERNEL32(?), ref: 6C8652F3
Part of subcall function 6C8652C0: PR_Unlock.NSS3(?), ref: 6C865358

PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8611D3
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8611F3

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
String ID:
API String ID: 1549229083-0
Opcode ID: 7e4d46dcef24e64014b8fab1ffb7972f43b015f01e77bf415143c375fea4e1ad
Instruction ID: b2eea7c178415c4e336cab909636c249a6ade2d15b2299060875bafad8fbcd3a
Opcode Fuzzy Hash: 7e4d46dcef24e64014b8fab1ffb7972f43b015f01e77bf415143c375fea4e1ad
Instruction Fuzzy Hash: 5F61B6B0E053459FEF20DF69D941B9EB7B4AF04348F144928ED19ABB42E731E944CB61

Function 6C86ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE10
EnterCriticalSection.KERNEL32(?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6C84D079,00000000,00000001), ref: 6C86AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE7F
TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEF1
free.MOZGLUE(6C84CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C84CDBB,?), ref: 6C86AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AF30

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: e57ff6a498ba44a26dd4248060b66edf584420b6869665ec4c7875cea4d3b13e
Instruction ID: 9039b01152bfe4681526a566189aa18c34167103770f333bd54f868e500815cd
Opcode Fuzzy Hash: e57ff6a498ba44a26dd4248060b66edf584420b6869665ec4c7875cea4d3b13e
Instruction Fuzzy Hash: 4551D1B1A05612EFDB21DF2AD984B96B7B4FF05318F144A64E80897E11E731F864CBE1

Function 6C844CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C84AB7F,?,00000000,?), ref: 6C844CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C84AB7F,?,00000000,?), ref: 6C844CC8
TlsGetValue.KERNEL32(?,6C84AB7F,?,00000000,?), ref: 6C844CE0
EnterCriticalSection.KERNEL32(?,?,6C84AB7F,?,00000000,?), ref: 6C844CF4
PL_HashTableLookup.NSS3(?,?,?,6C84AB7F,?,00000000,?), ref: 6C844D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C844D10

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

PR_Now.NSS3(?,00000000,?), ref: 6C844D26

Part of subcall function 6C8E9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DC6
Part of subcall function 6C8E9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DD1
Part of subcall function 6C8E9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8E9DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C844D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C844DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C844E02

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: 6b4e6952ba1ad8fe963aab79f2c788effb854fc1f973305067a56c1f37b682e8
Instruction ID: fad8095edea847bc431ded07e9d3c582754fac93a5b0857c18f972c9f90d7153
Opcode Fuzzy Hash: 6b4e6952ba1ad8fe963aab79f2c788effb854fc1f973305067a56c1f37b682e8
Instruction Fuzzy Hash: C941EAB5A001199BEB215F68EE40A6677B8FF85219F158970EC08C7B11FF31D914C7E2

Function 6C822E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C822CDA,?,00000000), ref: 6C822E1E

Part of subcall function 6C87FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C829003,?), ref: 6C87FD91
Part of subcall function 6C87FD80: PORT_Alloc_Util.NSS3(A4686C88,?), ref: 6C87FDA2
Part of subcall function 6C87FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C88,?,?), ref: 6C87FDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C822E33

Part of subcall function 6C87FD80: free.MOZGLUE(00000000,?,?), ref: 6C87FDD1

TlsGetValue.KERNEL32 ref: 6C822E4E
EnterCriticalSection.KERNEL32(?), ref: 6C822E5E
PL_HashTableLookup.NSS3(?), ref: 6C822E71
PL_HashTableRemove.NSS3(?), ref: 6C822E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6C822E96
PR_Unlock.NSS3 ref: 6C822EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C822EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C822EC5

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: 58463ef09619a4973dd5fdc11259c1ec81edb481652a135aac48fc8ad9cee342
Instruction ID: b15e16d27a6f07994c42e536e5538ab82baa895057884a32a4b80fb59033a81e
Opcode Fuzzy Hash: 58463ef09619a4973dd5fdc11259c1ec81edb481652a135aac48fc8ad9cee342
Instruction Fuzzy Hash: A6212876A05101A7DF212B29DE0DE9A3A64EB5231DF140C30ED1886752F736C598D2E1

Function 6C8B0690 Relevance: 15.1, APIs: 10, Instructions: 57threadCOMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000000,?,?,6C8B0642,?,?,6C8B477E,00000000), ref: 6C8B0695

Part of subcall function 6C8E98D0: calloc.MOZGLUE(00000001,00000084,6C810936,00000001,?,6C81102C), ref: 6C8E98E5

PR_NewLock.NSS3(00000000,?,?,6C8B0642,?,?,6C8B477E,00000000), ref: 6C8B06A1

Part of subcall function 6C8E98D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C8E9946
Part of subcall function 6C8E98D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C7A16B7,00000000), ref: 6C8E994E
Part of subcall function 6C8E98D0: free.MOZGLUE(00000000), ref: 6C8E995E

PR_GetCurrentThread.NSS3(00000000,?,?,6C8B0642,?,?,6C8B477E,00000000), ref: 6C8B06BB
DeleteCriticalSection.KERNEL32(?,00000000,?,?,6C8B0642,?,?,6C8B477E,00000000), ref: 6C8B06D1
free.MOZGLUE(?,?,?,6C8B0642,?,?,6C8B477E,00000000), ref: 6C8B06D8
PR_SetError.NSS3(FFFFE09A,00000000,00000000,?,?,6C8B0642,?,?,6C8B477E,00000000), ref: 6C8B06F4

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

DeleteCriticalSection.KERNEL32(?), ref: 6C8B070A
free.MOZGLUE(?), ref: 6C8B0711
PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C8B072D
PR_SetError.NSS3(?,00000000), ref: 6C8B0738

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$CriticalSectionfree$DeleteLock$CountCurrentInitializeLastSpinThreadValuecalloc
String ID:
API String ID: 3345202482-0
Opcode ID: 3fed3a1bec681db107f3152d7b91ce76742f67a12c6cdd6ed789ab77eddd3a92
Instruction ID: 376a3f4bcec222d37065fb97edd4dae6ea6e8b5c91e2b2e66a632f2652b33cf5
Opcode Fuzzy Hash: 3fed3a1bec681db107f3152d7b91ce76742f67a12c6cdd6ed789ab77eddd3a92
Instruction Fuzzy Hash: 56118CF2B0AA225BDF20AFA88F0974E37786B87718F200834E409A7B00E774D005C796

Function 6C8C66A0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 358COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(00000000), ref: 6C8C690A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8C6999
PK11_ImportDataKey.NSS3(00000000,0000402A,00000004,0000010C,?,00000000), ref: 6C8C69E3

Part of subcall function 6C8AF060: PR_SetError.NSS3(FFFFE013,00000000,?,?,?,hrr ech accept confirmation,?,6C8C67A0,?,?,?), ref: 6C8AF08A

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8C6A1F
PK11_FreeSymKey.NSS3(?), ref: 6C8C6A3F
PK11_FreeSymKey.NSS3(?), ref: 6C8C6A58

Part of subcall function 6C8AEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8AEE85

Part of subcall function 6C8AEE50: realloc.MOZGLUE(3A2AAD3E,?), ref: 6C8AEEAE
Part of subcall function 6C8AEE50: PORT_Alloc_Util.NSS3(?), ref: 6C8AEEC5
Part of subcall function 6C8AEE50: htonl.WSOCK32(?), ref: 6C8AEEE3
Part of subcall function 6C8AEE50: htonl.WSOCK32(00000000,?), ref: 6C8AEEED
Part of subcall function 6C8AEE50: memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C8AEF01

Strings

hrr ech accept confirmation, xrefs: 6C8C66C3, 6C8C6A9B
ech accept confirmation, xrefs: 6C8C66BE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$FreeUtil$ErrorItem_Zfreehtonl$Alloc_DataImportmemcpyrealloc
String ID: ech accept confirmation$hrr ech accept confirmation
API String ID: 316861715-779126823
Opcode ID: 3468af72c9b5a201b9ea1e97665e1324a1f32c974b7353dfc5d70c82873d9b43
Instruction ID: bbed043e7331fe4f197526f4eb50c09f3b3e73a8e26a5666aba8a13c8f22e1a7
Opcode Fuzzy Hash: 3468af72c9b5a201b9ea1e97665e1324a1f32c974b7353dfc5d70c82873d9b43
Instruction Fuzzy Hash: EFB1C3B2A043056BE720DB689E41BFB76A8AF5434CF040D38FD54D6681F731E61987A3

Function 6C7ACEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C7AB999), ref: 6C7ACFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C7AB999), ref: 6C7AD02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C7AB999), ref: 6C7AD041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C7AB999), ref: 6C8F972B

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7ACFDD, 6C7AD00E, 6C7AD022, 6C7AD033, 6C8F9780
%s at line %d of [%.10s], xrefs: 6C7ACFEC, 6C7AD018, 6C7AD029, 6C7AD03F, 6C8F978B
database corruption, xrefs: 6C7ACFE7, 6C7AD013, 6C7AD028, 6C7AD039, 6C7AD03E, 6C8F9786

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: d6f36f532db5f1d73c19fc2a945b8f68e1190c346b58ccda18edb93ecd6c3b80
Instruction ID: 85eae89c6525dc05d0ec8bf35d4138d8835035f8cc85696ab238006826d76344
Opcode Fuzzy Hash: d6f36f532db5f1d73c19fc2a945b8f68e1190c346b58ccda18edb93ecd6c3b80
Instruction Fuzzy Hash: CC614971A043109BD310CF69C940BA7B7F6EF95318F6846ADE4489BB82D376E847C7A1

Function 6C932680 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_release_memory.NSS3(PR_Select(),PR_Poll()), ref: 6C93269F
calloc.MOZGLUE(00000014,00000008), ref: 6C9326E0
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C9326F4
PR_Sleep.NSS3(?), ref: 6C932710

Part of subcall function 6C93C2A0: PR_IntervalNow.NSS3 ref: 6C93C2BE
Part of subcall function 6C93C2A0: PR_NewCondVar.NSS3 ref: 6C93C2CC
Part of subcall function 6C93C2A0: EnterCriticalSection.KERNEL32(?), ref: 6C93C2E8
Part of subcall function 6C93C2A0: PR_IntervalNow.NSS3 ref: 6C93C2F7
Part of subcall function 6C93C2A0: _PR_MD_UNLOCK.NSS3(?), ref: 6C93C378
Part of subcall function 6C93C2A0: DeleteCriticalSection.KERNEL32(?), ref: 6C93C390
Part of subcall function 6C93C2A0: free.MOZGLUE(?), ref: 6C93C397

Part of subcall function 6C9328A0: realloc.MOZGLUE(?,000000A8), ref: 6C9328EB
Part of subcall function 6C9328A0: memset.VCRUNTIME140(-FFFFFAC0,00000000,000000A0), ref: 6C93290A

PR_SetError.NSS3(FFFFE891,00000000), ref: 6C93287D
free.MOZGLUE(?), ref: 6C93288B

Strings

PR_Poll(), xrefs: 6C932695
PR_Select(), xrefs: 6C93269A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalErrorIntervalSectionfree$CondDeleteEnterSleepcallocmemsetreallocsqlite3_release_memory
String ID: PR_Poll()$PR_Select()
API String ID: 3069664790-3034026096
Opcode ID: 52c681103b044bcc77ef435b8fadf83d69efec1891be3df51fb3151526c5763c
Instruction ID: a389d811517793b1107d47d5d4413115ebced01dedcd65d174318f58138c0d7a
Opcode Fuzzy Hash: 52c681103b044bcc77ef435b8fadf83d69efec1891be3df51fb3151526c5763c
Instruction Fuzzy Hash: 4A61D175A01A268FDB00CF69C8487AAB7B5FF44308F248169DD1D9B792E730E805CBD1

Function 6C8AEF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,?,6C8CA4A1,?,00000000,?,00000001), ref: 6C8AEF6D

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

htonl.WSOCK32(00000000,?,6C8CA4A1,?,00000000,?,00000001), ref: 6C8AEFE4
htonl.WSOCK32(?,00000000,?,6C8CA4A1,?,00000000,?,00000001), ref: 6C8AEFF1
memcpy.VCRUNTIME140(?,?,6C8CA4A1,?,00000000,?,6C8CA4A1,?,00000000,?,00000001), ref: 6C8AF00B
memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C8CA4A1,?,00000000,?,00000001), ref: 6C8AF027

Strings

dtls13, xrefs: 6C8AEF33

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: htonlmemcpy$ErrorValue
String ID: dtls13
API String ID: 242828995-1883198198
Opcode ID: ea436e67680b14483ee6d3c36710c332168842f319a24aa68544e8d979741147
Instruction ID: 4e35ef1b9cf8fe06254b0dd68440a5ef0fe4f26bc618b69987040a0e4475bcfc
Opcode Fuzzy Hash: ea436e67680b14483ee6d3c36710c332168842f319a24aa68544e8d979741147
Instruction Fuzzy Hash: 9E312A71A012159FC720DF68CD80B8AB7E4EF49348F158869E8189B751E731ED26CBE1

Function 6C82AF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C82AFBE
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C949500,6C823F91), ref: 6C82AFD2

Part of subcall function 6C87B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9518D0,?), ref: 6C87B095

DER_GetInteger_Util.NSS3(?), ref: 6C82B007

Part of subcall function 6C876A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C821666,?,6C82B00C,?), ref: 6C876AFB

PR_SetError.NSS3(FFFFE009,00000000), ref: 6C82B02F
PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C82B046
PL_FreeArenaPool.NSS3 ref: 6C82B058
PL_FinishArenaPool.NSS3 ref: 6C82B060

Strings

security, xrefs: 6C82AFB8

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
String ID: security
API String ID: 3627567351-3315324353
Opcode ID: c0c4b2f42020aa9c5c6ff96d80d5ba385f7725bdd97d633b40b13b8bc077840f
Instruction ID: a7b3959bc863383fa64e8db93b3566c17f453259f8ca3297b500d16ea71ae08f
Opcode Fuzzy Hash: c0c4b2f42020aa9c5c6ff96d80d5ba385f7725bdd97d633b40b13b8bc077840f
Instruction Fuzzy Hash: 61310A7040630097D7318F189948BBAB7A4AF8632CF104E29E9755BBD1E736D189C797

Function 6C86CC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C86CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C86CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C86D079

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: 5d3e694d63e4fa98638b83d3e08c413ee4d90793393615aa04f0f0877fb071bd
Instruction ID: bccba5537a892d8da680d85ee3d6e70aa9119a98b69061a4c2e92b678aa728d3
Opcode Fuzzy Hash: 5d3e694d63e4fa98638b83d3e08c413ee4d90793393615aa04f0f0877fb071bd
Instruction Fuzzy Hash: 84C1A1B1A002199BDB20CF19CD80BDAB7B4BF48308F2445A9E94C97B41E775EE95CF91

Function 6C86C710 Relevance: 13.8, APIs: 9, Instructions: 271COMMON

Download Yara Rule

APIs

Part of subcall function 6C86C590: PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C86C5C7
Part of subcall function 6C86C590: PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C86C603

TlsGetValue.KERNEL32 ref: 6C86C825
EnterCriticalSection.KERNEL32(?), ref: 6C86C839
PR_Unlock.NSS3(?), ref: 6C86C88B
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C86C966

Part of subcall function 6C86CA30: TlsGetValue.KERNEL32 ref: 6C86CA95
Part of subcall function 6C86CA30: EnterCriticalSection.KERNEL32(00000000), ref: 6C86CAA9
Part of subcall function 6C86CA30: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,00000000,?,6C86C8CF,?,?,?), ref: 6C86CAE7
Part of subcall function 6C86CA30: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C86CB09

PK11_FreeSymKey.NSS3(?), ref: 6C86C949
PK11_FreeSymKey.NSS3(?), ref: 6C86C954
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C86C9A8
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C86C9B7
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C86C9F9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorK11_$CriticalDoesEnterFreeMechanismSectionUnlockValue$Item_UtilZfree
String ID:
API String ID: 1505861056-0
Opcode ID: 18f2f86fa92a833fa8e1a8007bf175bc4697ab9461062f1082f9f1449e59df68
Instruction ID: 07f431a509e5ae650bd9c1011aad42d63c91b97431cf94f297fcbcdeb514b3f5
Opcode Fuzzy Hash: 18f2f86fa92a833fa8e1a8007bf175bc4697ab9461062f1082f9f1449e59df68
Instruction Fuzzy Hash: 92A17371E00219AFDF20DF6ADD80B9EB7B5BF48348F144428E809A7B42E771E955CB90

Function 6C8406A0 Relevance: 13.7, APIs: 9, Instructions: 225stringCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8406C2
EnterCriticalSection.KERNEL32(?), ref: 6C8406D6
PR_Unlock.NSS3 ref: 6C8406EB

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

free.MOZGLUE(?), ref: 6C8407DE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8407FA

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSectionValue$EnterLeaveUnlockfreestrlen
String ID:
API String ID: 3527478211-0
Opcode ID: ecf6a5535903988a2e0c2c6f6929980e9d19f069b0db4f02f6b42d083574e224
Instruction ID: 2979d8ce6c1ad014b2e207f1bca4aabce6d8bf55762d59a8fed3e0a47ecbebd9
Opcode Fuzzy Hash: ecf6a5535903988a2e0c2c6f6929980e9d19f069b0db4f02f6b42d083574e224
Instruction Fuzzy Hash: 9081E9B1900314DFEB209F68CE45AAB7BB4AF15308F059868ED4D5B722E731E958CBD1

Function 6C894620 Relevance: 13.7, APIs: 9, Instructions: 221threadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE02F,00000000,?,?,?,00000000), ref: 6C894963

Part of subcall function 6C833090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C84AE42), ref: 6C8330AA
Part of subcall function 6C833090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8330C7
Part of subcall function 6C833090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C8330E5
Part of subcall function 6C833090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C833116
Part of subcall function 6C833090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C83312B
Part of subcall function 6C833090: PK11_DestroyObject.NSS3(?,?), ref: 6C833154
Part of subcall function 6C833090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C83317E

SECOID_FindOID_Util.NSS3(?), ref: 6C89465E

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

SECOID_FindOIDByTag_Util.NSS3(000000BF,00000000), ref: 6C894709
SECOID_GetAlgorithmTag_Util.NSS3(?,00000000), ref: 6C894727
SECOID_GetAlgorithmTag_Util.NSS3(?,?,00000000), ref: 6C89473B
PORT_NewArena_Util.NSS3(00000400,?,?,?,?,?,?,?,00000000), ref: 6C894801
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C952DA0,?,?,?,?,?,?,?,?,00000000), ref: 6C89482E
PR_GetCurrentThread.NSS3 ref: 6C8948F3
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C894923
PR_SetError.NSS3(FFFFE02F,00000000), ref: 6C894937
SECKEY_DestroyPublicKey.NSS3(?,?,?,00000000), ref: 6C89494E
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C894984
VFY_VerifyDataWithAlgorithmID.NSS3(?,?,?,6C8921C2,?,?,?), ref: 6C89499C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8949B5
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,00000000), ref: 6C8949C5
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C8949DC
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C8949E9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena_Error$AlgorithmFreeTag_$Destroy$FindHashItem_LookupPublicTable$Alloc_ArenaConstCopyCurrentDataEncodeK11_ObjectThreadVerifyWithmemset
String ID:
API String ID: 1962444627-0
Opcode ID: 5e94d17f543bd8c7b48954af691498799b0ecf59fa367922ff834e1c1a094cb6
Instruction ID: f5b12e372f6131882f245ae21887fa21616b1e0e6c64736766c46ca14b0c3de3
Opcode Fuzzy Hash: 5e94d17f543bd8c7b48954af691498799b0ecf59fa367922ff834e1c1a094cb6
Instruction Fuzzy Hash: B571F7B5E012185BFB308A6DDA80BAE7764AFC631CF204839DD25A7B51E731EC448B91

Function 6C822C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(3A2AAD3E), ref: 6C822C5D

Part of subcall function 6C880D30: calloc.MOZGLUE ref: 6C880D50
Part of subcall function 6C880D30: TlsGetValue.KERNEL32 ref: 6C880D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C822C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C822CE0

Part of subcall function 6C822E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C822CDA,?,00000000), ref: 6C822E1E
Part of subcall function 6C822E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C822E33
Part of subcall function 6C822E00: TlsGetValue.KERNEL32 ref: 6C822E4E
Part of subcall function 6C822E00: EnterCriticalSection.KERNEL32(?), ref: 6C822E5E
Part of subcall function 6C822E00: PL_HashTableLookup.NSS3(?), ref: 6C822E71
Part of subcall function 6C822E00: PL_HashTableRemove.NSS3(?), ref: 6C822E84
Part of subcall function 6C822E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C822E96
Part of subcall function 6C822E00: PR_Unlock.NSS3 ref: 6C822EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C822D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C822D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C822D3F
free.MOZGLUE(00000000), ref: 6C822D73
CERT_DestroyCertificate.NSS3(?), ref: 6C822DB8
free.MOZGLUE ref: 6C822DC8

Part of subcall function 6C823E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C823EC2
Part of subcall function 6C823E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C823ED6
Part of subcall function 6C823E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C823EEE
Part of subcall function 6C823E60: PR_CallOnce.NSS3(6C982AA4,6C8812D0), ref: 6C823F02
Part of subcall function 6C823E60: PL_FreeArenaPool.NSS3 ref: 6C823F14
Part of subcall function 6C823E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C823F27

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: edd25c90dde1916c6200b892a18e4f8bc8309c11b375cc291dd61f0564edd28e
Instruction ID: 7ade33bffda23161e4bb02db600d969d6a2c53b3b2a32cdb99b2770b66b066ab
Opcode Fuzzy Hash: edd25c90dde1916c6200b892a18e4f8bc8309c11b375cc291dd61f0564edd28e
Instruction Fuzzy Hash: 01511071A142199FEB218F28CE8CB5B77E5EF84329F140C38EC4583610E739E8948BD2

Function 6C836730 Relevance: 13.6, APIs: 9, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 6C835DB0: NSS_GetAlgorithmPolicy.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C835DEC
Part of subcall function 6C835DB0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,?,?,?,?,?,?), ref: 6C835E0F

_SGN_VerifyPKCS1DigestInfo.NSS3(00000000,?,?,00000000,?,?,?,?,?,?,?,?,6C836729), ref: 6C8367A0

Part of subcall function 6C87A470: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C87A4A6
Part of subcall function 6C87A470: PORT_Alloc_Util.NSS3(?), ref: 6C87A4EC
Part of subcall function 6C87A470: memcpy.VCRUNTIME140(-00000006,?,?), ref: 6C87A527
Part of subcall function 6C87A470: memcmp.VCRUNTIME140(00000006,?,?), ref: 6C87A56D
Part of subcall function 6C87A470: memcmp.VCRUNTIME140(00000006,00000006,00000004), ref: 6C87A583
Part of subcall function 6C87A470: PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C87A596
Part of subcall function 6C87A470: free.MOZGLUE(?), ref: 6C87A5A4

SECKEY_SignatureLen.NSS3(?,?,?,?,?,?,?,?,?,6C836729), ref: 6C8367C0
PR_SetError.NSS3(FFFFE030,00000000,?,?,?,?,?,?,?,?,?,6C836729), ref: 6C836800
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C836842
free.MOZGLUE(?), ref: 6C836855
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C83686B
free.MOZGLUE(00000000), ref: 6C836874
PK11_VerifyWithMechanism.NSS3(?,-00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C836729), ref: 6C8368C1
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C8368D6

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$Utilfree$Verifymemcmp$AlgorithmAlloc_DestroyDigestFindInfoItem_K11_MechanismPolicyPublicSignatureTag_WithZfreememcpy
String ID:
API String ID: 1437015310-0
Opcode ID: dd54b49c2dc0c2d0e33cd1f7c92c3ccb749a7821fe1787371186c1b9d658f904
Instruction ID: cbbda1e621a9b786646858ce21688d7318b55ed8d58836675ea74ebaa3a4f064
Opcode Fuzzy Hash: dd54b49c2dc0c2d0e33cd1f7c92c3ccb749a7821fe1787371186c1b9d658f904
Instruction Fuzzy Hash: 1751C670A012255BEB20DFACDD85BAB73B5FF49308F149928E85ED7741EA31E80587E1

Function 6C870750 Relevance: 13.6, APIs: 9, Instructions: 118COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,74720406,6C837296,00000000,?,6C8744FE,?,?,?,?,6C837296,00000000), ref: 6C8707AA
EnterCriticalSection.KERNEL32(?,?,74720406,6C837296,00000000,?,6C8744FE,?,?,?,?,6C837296,00000000), ref: 6C8707C7
PR_Unlock.NSS3(?,?,?,74720406,6C837296,00000000,?,6C8744FE,?,?,?,?,6C837296,00000000), ref: 6C8707E5
PK11_GetNextSafe.NSS3 ref: 6C870801
PR_Unlock.NSS3(?,?,?,74720406,6C837296,00000000,?,6C8744FE,?,?,?,?,6C837296,00000000), ref: 6C870817
TlsGetValue.KERNEL32(?,?,?,74720406,6C837296,00000000,?,6C8744FE,?,?,?,?,6C837296,00000000), ref: 6C870835
EnterCriticalSection.KERNEL32(?,?,?,?,74720406,6C837296,00000000,?,6C8744FE,?,?,?,?,6C837296,00000000), ref: 6C87084E
PR_Unlock.NSS3(?,?,?,?,?,74720406,6C837296,00000000,?,6C8744FE,?,?,?,?,6C837296,00000000), ref: 6C870870
free.MOZGLUE(?,?,?,?,?,74720406), ref: 6C87088F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValue$K11_NextSafefree
String ID:
API String ID: 810312292-0
Opcode ID: beae27d8baacfcb6408ec0733cd61d187c6365304a2c61c72de32b799d8707a5
Instruction ID: 30700432a1bc5946c9e5709c9e3c15bed46bcbf5f6db0cd7a2366e634b2636a3
Opcode Fuzzy Hash: beae27d8baacfcb6408ec0733cd61d187c6365304a2c61c72de32b799d8707a5
Instruction Fuzzy Hash: 48412D74A04656CFCB20EF68C68456EBBF0BF05348F158D29D899D7B11EB31E984CBA1

Function 6C8B0750 Relevance: 13.6, APIs: 9, Instructions: 79COMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(00000130,00000000), ref: 6C8B076D

Part of subcall function 6C87FAB0: free.MOZGLUE(?,-00000001,?,?,6C81F673,00000000,00000000), ref: 6C87FAC7

SECITEM_ZfreeItem_Util.NSS3(000000EC,00000000), ref: 6C8B0787
SECITEM_ZfreeItem_Util.NSS3(000000F8,00000000), ref: 6C8B07A1
PR_DestroyRWLock.NSS3(?), ref: 6C8B07B4
free.MOZGLUE(?), ref: 6C8B07C4
free.MOZGLUE(?), ref: 6C8B07D5
CERT_DestroyCertificate.NSS3(?), ref: 6C8B07E6
CERT_DestroyCertificate.NSS3(?), ref: 6C8B080A
SECITEM_ZfreeItem_Util.NSS3(-00000104,00000000), ref: 6C8B081B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Item_UtilZfree$Destroyfree$Certificate$Lock
String ID:
API String ID: 2711105989-0
Opcode ID: 71b8ab6e4c37806bd1195200193ca9cd021a9bc229fb1ba779757f662aef4816
Instruction ID: f73bbe13da9764ebdd26b57722d636d50ccae5c5ca4f401de8867d55e9485e3f
Opcode Fuzzy Hash: 71b8ab6e4c37806bd1195200193ca9cd021a9bc229fb1ba779757f662aef4816
Instruction Fuzzy Hash: BE21C4F2B01606A7EB209A65DF45FD6B768BB0024DF104930E419A2F41F731F168CAE1

Function 6C89C790 Relevance: 13.6, APIs: 9, Instructions: 74COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C89C7AE
EnterCriticalSection.KERNEL32 ref: 6C89C7C7
PK11_FreeSymKey.NSS3 ref: 6C89C7E5
PK11_FreeSymKey.NSS3 ref: 6C89C801
PK11_FreeSymKey.NSS3 ref: 6C89C81D
PK11_FreeSymKey.NSS3 ref: 6C89C839
PK11_FreeSymKey.NSS3 ref: 6C89C855
PK11_FreeSymKey.NSS3 ref: 6C89C871
PR_Unlock.NSS3 ref: 6C89C891

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: FreeK11_$CriticalEnterSectionUnlockValue
String ID:
API String ID: 2586530110-0
Opcode ID: 98b7f59eadd7685418561dcb2d428c24098628c084fe21e6860ba0f58c54780e
Instruction ID: 190057c1e97b78b36fe49acc24ad90c8cce0c570d69cd89bc4f522e3e703f9d7
Opcode Fuzzy Hash: 98b7f59eadd7685418561dcb2d428c24098628c084fe21e6860ba0f58c54780e
Instruction Fuzzy Hash: 623129B1A06B108BE720AF7DC68836AB7E8AF01649F510D7CD8D6D7B41EB35E444CB91

Function 6C884DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C88536F,00000022,?,?,00000000,?), ref: 6C884E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C884F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C884F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C884FAE
free.MOZGLUE(?), ref: 6C884FC8

Strings

%s=%c%s%c, xrefs: 6C884FA9
%s=%s, xrefs: 6C884F89

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: ab4a5f5c63f5f92e0e72f96a9aed699bdad10b8ca5bbcb2c3d74f366740eda22
Instruction ID: 6d96795bcaed32199b62660e77c022e1556cac29c64590e5cd42c3260dfe9369
Opcode Fuzzy Hash: ab4a5f5c63f5f92e0e72f96a9aed699bdad10b8ca5bbcb2c3d74f366740eda22
Instruction Fuzzy Hash: 0F515E33A471498BEB21CA6986707FF7BFD9FC2318F144929E890A7E41D325990587B1

Function 6C838CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C84124D,00000001), ref: 6C838D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C84124D,00000001), ref: 6C838D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C84124D,00000001), ref: 6C838D73
PR_Unlock.NSS3(?,?,?,?,?,6C84124D,00000001), ref: 6C838D8C

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

PR_Unlock.NSS3(?,?,?,?,?,6C84124D,00000001), ref: 6C838DBA

Strings

KRAM, xrefs: 6C838D3E
KRAM, xrefs: 6C838CF9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: 41637ecaf59d5464256aee7868ad94836476a81fd88ecd53a04d2713e7373c59
Instruction ID: 31c6a855c12d4c13f53670b1744847b4acfe21d66d878cba995a8e5161754ed3
Opcode Fuzzy Hash: 41637ecaf59d5464256aee7868ad94836476a81fd88ecd53a04d2713e7373c59
Instruction Fuzzy Hash: 44218BB1A086218FCB11AFB8C68425AB7F0BF45309F15AD6AD888CB701DB34D841CBD1

Function 6C930ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C930EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C930EFA

Part of subcall function 6C81AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C81AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C930F2B

Strings

Aborting, xrefs: 6C930EB3
Assertion failure: %s, at %s:%d, xrefs: 6C930ED9, 6C930EE5, 6C930F06, 6C930F0B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: df7d4c4ea9a0a0e49aa918e4f88d613d235b38c41cdb9bef2acd7472011cb07d
Instruction ID: 8cd3ba33ba7386e41a9e70a21d5b64cc07c40545d685ce910af09626cb9b033f
Opcode Fuzzy Hash: df7d4c4ea9a0a0e49aa918e4f88d613d235b38c41cdb9bef2acd7472011cb07d
Instruction Fuzzy Hash: 0401C0B5900224ABDF02AF64DD45C9B3F3DEF46268B104024FD0987B01D731E92087B2

Function 6C9307B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filestringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C811FA7,WinDebug,00000000,00000001,?,6C811FA7,00000000), ref: 6C9307BE
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(6C811FA7,6C95843A,6C811FA7,00000000), ref: 6C9307E0
setvbuf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000004,00000000), ref: 6C9307F6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,6C811FA7,00000000), ref: 6C930812
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C930827
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C93083F

Strings

WinDebug, xrefs: 6C9307B8

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: __acrt_iob_func$fclosefopensetvbufstrcmp
String ID: WinDebug
API String ID: 1416283249-2102910228
Opcode ID: 76bae83d8e9852e8716ed40d8e135688eae407131c2d4d890460547209f72c54
Instruction ID: 9828c366f2dec919695938327bde464a0b23157ebc67d2cbed8c07b6c9e14273
Opcode Fuzzy Hash: 76bae83d8e9852e8716ed40d8e135688eae407131c2d4d890460547209f72c54
Instruction Fuzzy Hash: 3711A971B47170ABEF015A288D0966A376CDB43359F241579EC2ED7681EB21D81083F2

Function 6C8F4D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C8F4DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8F4DE0

Strings

invalid, xrefs: 6C8F4DB8
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8F4DCB
%s at line %d of [%.10s], xrefs: 6C8F4DDA
misuse, xrefs: 6C8F4DD5
API call with %s database connection pointer, xrefs: 6C8F4DBD

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 23b0ec21de8e1c37c49724dd337b817929c7af5d8e675874ee9eedec7b32778d
Instruction ID: bedf5f446671b411e9f02b02f494318b3c48fa6ff36dc9a06753bd11315e31f0
Opcode Fuzzy Hash: 23b0ec21de8e1c37c49724dd337b817929c7af5d8e675874ee9eedec7b32778d
Instruction Fuzzy Hash: F9F05911E146286FE710A015CF24F8233554FC13AEF870DE2EE187BE93D606E8A182F0

Function 6C8F4DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C8F4E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C8F4E4D

Strings

invalid, xrefs: 6C8F4E25
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C8F4E38
%s at line %d of [%.10s], xrefs: 6C8F4E47
misuse, xrefs: 6C8F4E42
API call with %s database connection pointer, xrefs: 6C8F4E2A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 52eeef896376ce05c2426b2e64fc93649bcc2d23191c471bc9ca57824f6dd853
Instruction ID: f16e7d198a6b7d1b842066f1ca1b4dcf4a2aa2beee28bb3421ebeb54fd07e02d
Opcode Fuzzy Hash: 52eeef896376ce05c2426b2e64fc93649bcc2d23191c471bc9ca57824f6dd853
Instruction Fuzzy Hash: CDF02E11F445186BE7208015DF14F83378647D13B9F4A4CA2EA1A77F92D609E87242E1

Function 6C860C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C861444,?,00000001,?,00000000,00000000,?,?,6C861444,?,?,00000000,?,?), ref: 6C860CB3

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C861444,?,00000001,?,00000000,00000000,?,?,6C861444,?), ref: 6C860DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C861444,?,00000001,?,00000000,00000000,?,?,6C861444,?), ref: 6C860DEC

Part of subcall function 6C880F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C822AF5,?,?,?,?,?,6C820A1B,00000000), ref: 6C880F1A
Part of subcall function 6C880F10: malloc.MOZGLUE(00000001), ref: 6C880F30
Part of subcall function 6C880F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C880F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C861444,?,00000001,?,00000000,00000000,?), ref: 6C860DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C861444,?,00000001,?,00000000), ref: 6C860E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C861444,?,00000001,?,00000000,00000000,?), ref: 6C860E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C861444,?,00000001,?,00000000,00000000,?,?,6C861444,?,?,00000000), ref: 6C860E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C861444,?,00000001,?,00000000,00000000,?), ref: 6C860E79

Part of subcall function 6C871560: TlsGetValue.KERNEL32(00000000,?,6C840844,?), ref: 6C87157A
Part of subcall function 6C871560: EnterCriticalSection.KERNEL32(?,?,?,6C840844,?), ref: 6C87158F
Part of subcall function 6C871560: PR_Unlock.NSS3(?,?,?,?,6C840844,?), ref: 6C8715B2

Part of subcall function 6C83B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C841397,00000000,?,6C83CF93,5B5F5EC0,00000000,?,6C841397,?), ref: 6C83B1CB
Part of subcall function 6C83B1A0: free.MOZGLUE(5B5F5EC0,?,6C83CF93,5B5F5EC0,00000000,?,6C841397,?), ref: 6C83B1D2

Part of subcall function 6C8389E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C8388AE,-00000008), ref: 6C838A04
Part of subcall function 6C8389E0: EnterCriticalSection.KERNEL32(?), ref: 6C838A15
Part of subcall function 6C8389E0: memset.VCRUNTIME140(6C8388AE,00000000,00000132), ref: 6C838A27
Part of subcall function 6C8389E0: PR_Unlock.NSS3(?), ref: 6C838A35

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: eb8bab50fe3221df5872a1398c6b1ac6d0f770eb4f9b61828f01912f2605a1ce
Instruction ID: f202af0a44532785840514023afa13788ed5ff4cec6d065752e4d7732072d982
Opcode Fuzzy Hash: eb8bab50fe3221df5872a1398c6b1ac6d0f770eb4f9b61828f01912f2605a1ce
Instruction Fuzzy Hash: 1751E9F6E002145FEB219F69DE81ABF37A89F05218F154934EC099BB02F731ED1487A6

Function 6C82E6B0 Relevance: 12.2, APIs: 8, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,00000000,?,?,6C8304DC,?,?), ref: 6C82E6C9

Part of subcall function 6C8814C0: TlsGetValue.KERNEL32 ref: 6C8814E0
Part of subcall function 6C8814C0: EnterCriticalSection.KERNEL32 ref: 6C8814F5
Part of subcall function 6C8814C0: PR_Unlock.NSS3 ref: 6C88150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000088,?,?,00000000,?,?,6C8304DC,?,?), ref: 6C82E6D9

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

memset.VCRUNTIME140(00000000,00000000,00000088,?,?,?,?,00000000,?,?,6C8304DC,?,?), ref: 6C82E6F4
SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000,?,?,6C8304DC,?), ref: 6C82E703

Part of subcall function 6C87BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C82E708,00000000,00000000,00000004,00000000), ref: 6C87BE6A
Part of subcall function 6C87BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C8304DC,?), ref: 6C87BE7E
Part of subcall function 6C87BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C87BEC2

CERT_FindCertIssuer.NSS3(?,?,6C8304DC,0000000B,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C82E71E

Part of subcall function 6C82C870: PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,6C822D1A), ref: 6C82C919

Part of subcall function 6C82E5E0: PORT_ArenaMark_Util.NSS3(?,00000000,00000000,00000000,?,6C82E755,00000000,00000004,?,?), ref: 6C82E5F5
Part of subcall function 6C82E5E0: PR_SetError.NSS3(FFFFE005,00000000,?), ref: 6C82E62C

CERT_DestroyCertificate.NSS3(?), ref: 6C82E8AF

Part of subcall function 6C82E5E0: SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000,?), ref: 6C82E63E
Part of subcall function 6C82E5E0: PK11_HashBuf.NSS3(?,?,?,?,?,?,?,?), ref: 6C82E65C
Part of subcall function 6C82E5E0: SECITEM_ZfreeItem_Util.NSS3(00000000,00000000,?), ref: 6C82E68E

SECITEM_CopyItem_Util.NSS3(00000000,-00000030,?), ref: 6C82E89E

Part of subcall function 6C87FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C878D2D,?,00000000,?), ref: 6C87FB85
Part of subcall function 6C87FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C87FBB1

CERT_DestroyCertificate.NSS3(?), ref: 6C82E885

Part of subcall function 6C8295B0: TlsGetValue.KERNEL32(00000000,?,6C8400D2,00000000), ref: 6C8295D2
Part of subcall function 6C8295B0: EnterCriticalSection.KERNEL32(?,?,?,6C8400D2,00000000), ref: 6C8295E7
Part of subcall function 6C8295B0: PR_Unlock.NSS3(?,?,?,?,6C8400D2,00000000), ref: 6C829605

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$ArenaItem_$Value$CopyCriticalEnterSectionUnlock$Alloc_CertificateDestroyErrorFindMark_$AlgorithmAllocAllocateCertHashIssuerK11_Tag_Zfreememcpymemset
String ID:
API String ID: 27740541-0
Opcode ID: e4d7f76415ecfb2d2958979208ef1a1ca2aac134063c549da3518918932b399c
Instruction ID: 5db212ed14de82181e2a5a8dc709d50676d81727fdd1387b1ef1fe2d600e0880
Opcode Fuzzy Hash: e4d7f76415ecfb2d2958979208ef1a1ca2aac134063c549da3518918932b399c
Instruction Fuzzy Hash: 5461ADB5D006099BEB18CF64CD41AFEB7B8EF09304F044629ED15AA741FB359A45CBE4

Function 6C816E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6C816ED8
sqlite3_value_text.NSS3(?,?), ref: 6C816EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C816FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6C816FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C816FF0
sqlite3_value_blob.NSS3(?,?), ref: 6C817010
sqlite3_value_blob.NSS3(?,?), ref: 6C81701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C817052

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: ad508a22a122b67a71c02f8039ecd0a51bd64fa6e715e756e7b8f89ce6a604c4
Instruction ID: e56e9457be99c299f601d290ba388b03b275ab75ceb9cd29551a9d1a9254350b
Opcode Fuzzy Hash: ad508a22a122b67a71c02f8039ecd0a51bd64fa6e715e756e7b8f89ce6a604c4
Instruction Fuzzy Hash: 026191B1E0820B8FDB20CB68DA006EEB7F2EF45308F184968D455ABB51E7319805CB90

Function 6C888F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C887313), ref: 6C888FBB

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C887313), ref: 6C889012
SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C887313), ref: 6C88903C
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C887313), ref: 6C88909E
PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C887313), ref: 6C8890DB
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C887313), ref: 6C8890F1

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C887313), ref: 6C88906B

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C887313), ref: 6C889128

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
String ID:
API String ID: 3590961175-0
Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction ID: 1d592abd40743ba0288e3333ea8358cff6e9a026b47d0788dc9f4cb5d074e339
Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction Fuzzy Hash: 3C51C275A062028FEB30DF6ADE44B26B3F5AF44318F154829E915D7F61EB36E800CB91

Function 6C88C6E0 Relevance: 12.1, APIs: 8, Instructions: 149COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,?,?,?,?,6C8871CF,?), ref: 6C88C70F

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C8871CF,?), ref: 6C88C7B1

Part of subcall function 6C8295B0: TlsGetValue.KERNEL32(00000000,?,6C8400D2,00000000), ref: 6C8295D2
Part of subcall function 6C8295B0: EnterCriticalSection.KERNEL32(?,?,?,6C8400D2,00000000), ref: 6C8295E7
Part of subcall function 6C8295B0: PR_Unlock.NSS3(?,?,?,?,6C8400D2,00000000), ref: 6C829605

PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,6C8871CF,?), ref: 6C88C7D5
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C8871CF,?), ref: 6C88C811
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C8871CF,?), ref: 6C88C841
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C88C855
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,?,?,6C8871CF,?), ref: 6C88C868

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena_CertificateDestroyFree$ErrorHashLookupTable$ConstCriticalEnterFindSectionUnlockValue
String ID:
API String ID: 1768726504-0
Opcode ID: fc537cff35ca18c10af1df844d24871b5193ba69ef4e89025439c59b561f8c00
Instruction ID: 010bcc7b31bf404b1d999ed26e21d3047b2e78ec94b5d118207007734f2c0e7d
Opcode Fuzzy Hash: fc537cff35ca18c10af1df844d24871b5193ba69ef4e89025439c59b561f8c00
Instruction Fuzzy Hash: 4A416471B432118BEB20EF19DA80B5677E9AF05758B550A74DC28DBF1BE770F804C691

Function 6C872470 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C872D7C,6C849192,?), ref: 6C87248E
EnterCriticalSection.KERNEL32(02B80138), ref: 6C8724A2
memset.VCRUNTIME140(6C872D7C,00000020,6C872D5C), ref: 6C87250E
memset.VCRUNTIME140(6C872D9C,00000020,6C872D7C), ref: 6C872535
memset.VCRUNTIME140(?,00000020,?), ref: 6C87255C
memset.VCRUNTIME140(?,00000020,?), ref: 6C872583
PR_Unlock.NSS3(?), ref: 6C872594
PR_SetError.NSS3(00000000,00000000), ref: 6C8725AF

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memset$Value$CriticalEnterErrorSectionUnlock
String ID:
API String ID: 2972906980-0
Opcode ID: be6c4d8d9ea019c466d575778271cbb61f09d36038974b7fa37c6856cee03a3f
Instruction ID: ffcb522c9c9eb0ef50df64dc4db1535b767b0a331ed35345a44d335009833401
Opcode Fuzzy Hash: be6c4d8d9ea019c466d575778271cbb61f09d36038974b7fa37c6856cee03a3f
Instruction Fuzzy Hash: 634122B1E002019BEB319F34CD987AE3774BB59308F241E68EC05D7A52F774EA84C2A1

Function 6C8705A0 Relevance: 12.1, APIs: 8, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000), ref: 6C8705DA

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

TlsGetValue.KERNEL32(00000000), ref: 6C87060C
EnterCriticalSection.KERNEL32 ref: 6C870629
TlsGetValue.KERNEL32(00000000), ref: 6C87066F
EnterCriticalSection.KERNEL32 ref: 6C87068C
PR_Unlock.NSS3 ref: 6C8706AA
PK11_GetNextSafe.NSS3 ref: 6C8706C3
PR_Unlock.NSS3 ref: 6C8706F9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$Alloc_K11_NextSafeUtilmalloc
String ID:
API String ID: 1593870348-0
Opcode ID: 0206d6292e4e29a400fc2ec007b9e20bbfbf608d0896f30e6443b952b115a156
Instruction ID: 92c008428deaf0ebd4efa52c03cc5bb12ae2ae51ba9f27ed74a660a9b94c248f
Opcode Fuzzy Hash: 0206d6292e4e29a400fc2ec007b9e20bbfbf608d0896f30e6443b952b115a156
Instruction Fuzzy Hash: AB513EB4A05746CFDB20DF69C69466EBBF0BF45304F148929D859DB701EB31E884CBA1

Function 6C87A470 Relevance: 12.1, APIs: 8, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C87A4A6

Part of subcall function 6C880840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8808B4

PORT_Alloc_Util.NSS3(?), ref: 6C87A4EC

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

memcpy.VCRUNTIME140(-00000006,?,?), ref: 6C87A527
memcmp.VCRUNTIME140(00000006,?,?), ref: 6C87A56D
memcmp.VCRUNTIME140(00000006,00000006,00000004), ref: 6C87A583
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C87A596
free.MOZGLUE(?), ref: 6C87A5A4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C87A5B6

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$Utilmemcmp$Alloc_FindTag_Valuefreemallocmemcpy
String ID:
API String ID: 3906949479-0
Opcode ID: 1653b635e7ac9164bb4bf845a6bf7fb437c686a25d530842da9de56505a10cb0
Instruction ID: 9341b165799a4cf757b077dbb3637ffd6dd6dbf3c316708a29a0f308fb5f46cd
Opcode Fuzzy Hash: 1653b635e7ac9164bb4bf845a6bf7fb437c686a25d530842da9de56505a10cb0
Instruction Fuzzy Hash: 1141D672A042469FDB20CF99CD40BDABB71AF50308F148869D8595BB52F731E919C7B2

Function 6C93A6F0 Relevance: 12.1, APIs: 8, Instructions: 117threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8E9890: TlsGetValue.KERNEL32(?,?,?,6C8E97EB), ref: 6C8E989E

EnterCriticalSection.KERNEL32(?), ref: 6C93A712
_PR_MD_UNLOCK.NSS3(?), ref: 6C93A76D

Part of subcall function 6C8E70F0: LeaveCriticalSection.KERNEL32(6C930C7B), ref: 6C8E710D

calloc.MOZGLUE(00000001,0000000C), ref: 6C93A779
_PR_CreateThread.NSS3(00000000,6C939EA0,?,00000001,00000001,00000000,?,00000000), ref: 6C93A79B
free.MOZGLUE(00000000), ref: 6C93A7AB
EnterCriticalSection.KERNEL32(?), ref: 6C93A7C5
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6C93A7FC
_PR_MD_UNLOCK.NSS3(?), ref: 6C93A824

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$Enter$CreateLeaveThreadValuecallocfree
String ID:
API String ID: 3459369588-0
Opcode ID: 1653578400bc85c0d2590e1c7cd60b0f5fb96f22b524104411164ea118bf6c1d
Instruction ID: b7132d106e8621565c109fd34740fe08cc09c84f479000eabb02059e401a826e
Opcode Fuzzy Hash: 1653578400bc85c0d2590e1c7cd60b0f5fb96f22b524104411164ea118bf6c1d
Instruction Fuzzy Hash: E1417FB59007119FCB20CF69C884967B7F8FF59308B148929D85EC7B11EB71E845CBA0

Function 6C8666B0 Relevance: 12.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000010,00000000), ref: 6C8666D0
realloc.MOZGLUE(?,?,?,?,?,00000010,00000000), ref: 6C8666FB

Part of subcall function 6C884540: PORT_ZAlloc_Util.NSS3(00000001,?,-00000001,-00000001,?,6C866725,?,00000022,?,?,?,?,?,00000010,00000000), ref: 6C884581

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000010,00000000), ref: 6C86673A
memcpy.VCRUNTIME140(00000001,00000000,-00000001,?,?,?,?,?,?,?,?,?,?,00000010,00000000), ref: 6C866757
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000010,00000000), ref: 6C86676E
memcpy.VCRUNTIME140(6C85C79F,?,?,?,?,?,00000010,00000000), ref: 6C866781
memcpy.VCRUNTIME140(00000001,?,-00000001,?,?,?,?,?,?,00000010,00000000), ref: 6C86679D
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,00000010,00000000), ref: 6C8667BC

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memcpy$Alloc_ErrorUtilfreereallocstrlen
String ID:
API String ID: 922128022-0
Opcode ID: be230ac42b6dc7f5ab1b376c4e2f8dc2638cca5e15edfeae6d903b20e4a989bf
Instruction ID: 163f56b842b2fa302780bb54fcd959a8501ed4144eaeb929f6eee374837cfa40
Opcode Fuzzy Hash: be230ac42b6dc7f5ab1b376c4e2f8dc2638cca5e15edfeae6d903b20e4a989bf
Instruction Fuzzy Hash: 3331EA729012599FDF21CF98DC459AF77B8FF95304F040828E8099B740E732AD19C7A2

Function 6C844E50 Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C844E90
EnterCriticalSection.KERNEL32 ref: 6C844EA9
TlsGetValue.KERNEL32 ref: 6C844EC6
EnterCriticalSection.KERNEL32 ref: 6C844EDF
PL_HashTableLookup.NSS3 ref: 6C844EF8
PR_Unlock.NSS3 ref: 6C844F05
PR_Now.NSS3 ref: 6C844F13
PR_Unlock.NSS3 ref: 6C844F3A

Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107AD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107CD
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C7A204A), ref: 6C8107D6
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C7A204A), ref: 6C8107E4
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,6C7A204A), ref: 6C810864
Part of subcall function 6C8107A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C810880
Part of subcall function 6C8107A0: TlsSetValue.KERNEL32(00000000,?,?,6C7A204A), ref: 6C8108CB
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108D7
Part of subcall function 6C8107A0: TlsGetValue.KERNEL32(?,?,6C7A204A), ref: 6C8108FB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: d5f21c0854db23a557e555d4af688daf7711e963447867224bdd8229acaa712d
Instruction ID: e92ab511efc7f1c0eae2f8f2090839a6b5188871b4883f1b69baaa19ab88eda7
Opcode Fuzzy Hash: d5f21c0854db23a557e555d4af688daf7711e963447867224bdd8229acaa712d
Instruction Fuzzy Hash: E8416CB4A04609CFCB10EF68C1848AABBF0FF89314B158969EC599B710EB30E855CB91

Function 6C8CA7D0 Relevance: 12.1, APIs: 8, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(0000002C,00000000,6C8B2AE9,?,6C8CA98D,?,?,?,?), ref: 6C8CA7D7

Part of subcall function 6C880D30: calloc.MOZGLUE ref: 6C880D50
Part of subcall function 6C880D30: TlsGetValue.KERNEL32 ref: 6C880D6D

SECITEM_CopyItem_Util.NSS3(00000000,-00000014,?,0000065C), ref: 6C8CA80B

Part of subcall function 6C87FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C878D2D,?,00000000,?), ref: 6C87FB85
Part of subcall function 6C87FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C87FBB1

PK11_FreeSymKey.NSS3(?,?,?,?,?,?,0000065C), ref: 6C8CA82E

Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE10
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE24
Part of subcall function 6C86ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C84D079,00000000,00000001), ref: 6C86AE5A
Part of subcall function 6C86ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE6F
Part of subcall function 6C86ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE7F
Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEB1
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEC9

PK11_FreeSymKey.NSS3(?,?,?,?,?,?,0000065C), ref: 6C8CA845
SECITEM_ZfreeItem_Util.NSS3(-00000014,00000000,?,?,?,?,?,0000065C), ref: 6C8CA857
free.MOZGLUE(00000000,?,?,?,?,?,?,?,0000065C), ref: 6C8CA860
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,0000065C), ref: 6C8CA81E

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_SetError.NSS3(FFFFE013,00000000,0000065C), ref: 6C8CA872

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: UtilValue$Alloc_CriticalEnterErrorFreeItem_K11_Sectionfree$ArenaCopyUnlockZfreecallocmemcpymemset
String ID:
API String ID: 1855126447-0
Opcode ID: f2d9afdfdc7a7b3d57950afec49cc4e7ff18c98ab93410ce6c42d20039f8c101
Instruction ID: f4e2295bc3696d73e611f0ad6ea9055c04faeec8c30d4e8de816bc22ed8ed34c
Opcode Fuzzy Hash: f2d9afdfdc7a7b3d57950afec49cc4e7ff18c98ab93410ce6c42d20039f8c101
Instruction Fuzzy Hash: 6B11BFB5B0032157FB309B6AED41F8B76989B5069DF104838EC1A96B81E725E40A86A2

Function 6C8165D0 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 261COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C81670B
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C812B2C), ref: 6C81675E
EnterCriticalSection.KERNEL32(?), ref: 6C81678E
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,6C812B2C), ref: 6C8167E1

Strings

winClose, xrefs: 6C8168C5
winUnmapfile2, xrefs: 6C81698B
winUnmapfile1, xrefs: 6C816964

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: winClose$winUnmapfile1$winUnmapfile2
API String ID: 3168844106-373099266
Opcode ID: 1d4142c5f0bd18ccbfde9b5c0f3386cac091a12e04334243aeb65d5f8cb07fef
Instruction ID: b6d1edd652b45ea0e4ccdc341774540addc2de1205e1cab41d0af2aeb640b15d
Opcode Fuzzy Hash: 1d4142c5f0bd18ccbfde9b5c0f3386cac091a12e04334243aeb65d5f8cb07fef
Instruction Fuzzy Hash: 47A19275B0E221CFDF199F24EA9866A37B4FF47315B240968E946CBE40DB34A801CF91

Function 6C7A4F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7A4FC4
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7A51BB

Strings

unable to delete/modify user-function due to active statements, xrefs: 6C7A51DF
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7A51A5
%s at line %d of [%.10s], xrefs: 6C7A51B4
misuse, xrefs: 6C7A51AF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_logstrlen
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
API String ID: 3619038524-4115156624
Opcode ID: a79c4b40a1bf04033a8b8b53525d0f401292ae5cfe0ee125f9fe0438f8a9fc98
Instruction ID: 31af24943e322f44077a221bc578a7c9184661ca3785df224c249602cadd867f
Opcode Fuzzy Hash: a79c4b40a1bf04033a8b8b53525d0f401292ae5cfe0ee125f9fe0438f8a9fc98
Instruction Fuzzy Hash: BA7180B1604609DFDB00CFA6DE80BAB77B5BB48348F154634FE199BA41D731D852CBA1

Function 6C7BA630 Relevance: 10.7, APIs: 7, Instructions: 192COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,6C981308,?,?,6C7B6ABD,00000000), ref: 6C7BA6B7
LeaveCriticalSection.KERNEL32(?), ref: 6C7BA70A
EnterCriticalSection.KERNEL32(?,00000000,6C981308,?,?,6C7B6ABD,00000000), ref: 6C7BA73A
LeaveCriticalSection.KERNEL32(?), ref: 6C7BA78D
EnterCriticalSection.KERNEL32(?,00000000,6C981308,?,?,6C7B6ABD,00000000), ref: 6C7BA7CA
LeaveCriticalSection.KERNEL32(?), ref: 6C7BA821
sqlite3_free.NSS3(?,00000000,6C981308,?,?,6C7B6ABD,00000000), ref: 6C7BA8A6

Part of subcall function 6C7A9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C7BC6FD,?,?,?,?,6C80F965,00000000), ref: 6C7A9F0E
Part of subcall function 6C7A9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C80F965,00000000), ref: 6C7A9F5D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$EnterLeave$sqlite3_free
String ID:
API String ID: 1407842778-0
Opcode ID: 5069ad1b9b3ece80ec470c0693d6888842a1bea6bfe86cff297fd701dc4cecaf
Instruction ID: 55a1292cc2c0acfdb59a25195670c53e1969234f34ac4f7d8ac61ee5bae2a868
Opcode Fuzzy Hash: 5069ad1b9b3ece80ec470c0693d6888842a1bea6bfe86cff297fd701dc4cecaf
Instruction Fuzzy Hash: 3F61A37570E100DFDB0AAF25DA99A667375BF87324B38052DD41697E00DB39E843CBA2

Function 6C812D20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C812D69

Strings

winTruncate2, xrefs: 6C812EF8
winUnmapfile2, xrefs: 6C812F7F
winUnmapfile1, xrefs: 6C812F55
winSeekFile, xrefs: 6C812E9C
winTruncate1, xrefs: 6C812EBE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
API String ID: 2933888876-3221253098
Opcode ID: b478a89d479bf968c5193bae47d41e993dc6c536af262e9b44d94e1275391943
Instruction ID: 22952446cae131e1cc789be57a19fd1975488e3bd261f6f999ba3be4bffd91d7
Opcode Fuzzy Hash: b478a89d479bf968c5193bae47d41e993dc6c536af262e9b44d94e1275391943
Instruction Fuzzy Hash: 7F61D271A052099FDB14CF68D954AAA77F1FF4A314F208A28E9159BB90DB34E806CB90

Function 6C828620 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

SECITEM_CopyItem_Util.NSS3(00000000,00000000,6C827310,00000000,6C827310,?,?,00000004,?), ref: 6C828684

Part of subcall function 6C87FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C878D2D,?,00000000,?), ref: 6C87FB85
Part of subcall function 6C87FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C87FBB1

SECITEM_CopyItem_Util.NSS3(00000000,-0000000C,6C827304,?,?,?,00000000,6C827310,?,?,00000004,?), ref: 6C82869F
PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,?,?,?,?,?,00000000,6C827310,?,?,00000004,?), ref: 6C8286D7
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,00000000,6C827310,?,?,00000004,?), ref: 6C828706
PORT_ArenaAlloc_Util.NSS3(00000000,00000018,00000000,6C827310,00000004,00000000,?,6C828A20,00000004,00000000,6C827310,?,?,00000004,?), ref: 6C828656

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

PORT_ArenaAlloc_Util.NSS3(00000000,00000008,00000000,6C827310,00000004,00000000,?,6C828A20,00000004,00000000,6C827310,?,?,00000004,?), ref: 6C828763
PORT_ArenaGrow_Util.NSS3(00000000,6C828A20,?,?,00000000,6C827310,00000004,00000000,?,6C828A20,00000004,00000000,6C827310,?,?,00000004), ref: 6C828795

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Alloc_$CopyGrow_Item_Value$AllocateCriticalEnterSectionUnlockmemcpy
String ID:
API String ID: 1239214001-0
Opcode ID: edab0757da17ce9ed80277259f892125aa72fc68a5204f4ba0abaa766cbc824c
Instruction ID: 73a7e26d88462c44f077074f04d98dc0c421ef47bebc5e95eb7d2a87497afe7f
Opcode Fuzzy Hash: edab0757da17ce9ed80277259f892125aa72fc68a5204f4ba0abaa766cbc824c
Instruction Fuzzy Hash: 1D4129B2501210AFEB208F24CD08F6737A9FF52358F154926EC558BB51E739D984CBE1

Function 6C86AC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C86AB3E,?,?,?), ref: 6C86AC35

Part of subcall function 6C84CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C84CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C86AB3E,?,?,?), ref: 6C86AC55

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C86AB3E,?,?), ref: 6C86AC70

Part of subcall function 6C84E300: TlsGetValue.KERNEL32 ref: 6C84E33C
Part of subcall function 6C84E300: EnterCriticalSection.KERNEL32(?), ref: 6C84E350
Part of subcall function 6C84E300: PR_Unlock.NSS3(?), ref: 6C84E5BC
Part of subcall function 6C84E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C84E5CA
Part of subcall function 6C84E300: TlsGetValue.KERNEL32 ref: 6C84E5F2
Part of subcall function 6C84E300: EnterCriticalSection.KERNEL32(?), ref: 6C84E606
Part of subcall function 6C84E300: PORT_Alloc_Util.NSS3(?), ref: 6C84E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C86AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C86AB3E), ref: 6C86ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C86AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C86AD2B

Part of subcall function 6C84F360: TlsGetValue.KERNEL32(00000000,?,6C86A904,?), ref: 6C84F38B
Part of subcall function 6C84F360: EnterCriticalSection.KERNEL32(?,?,?,6C86A904,?), ref: 6C84F3A0
Part of subcall function 6C84F360: PR_Unlock.NSS3(?,?,?,?,6C86A904,?), ref: 6C84F3D3

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: 52fb3f5b1872430559004eca6fee3ad6cd90e682f73e9d8eac452ac7fc7c2da2
Instruction ID: 91b01fed9c1cfb92d73d5cfd3c14c92e06f5e8d2f8e0e79ec4c258ddf403d6bd
Opcode Fuzzy Hash: 52fb3f5b1872430559004eca6fee3ad6cd90e682f73e9d8eac452ac7fc7c2da2
Instruction Fuzzy Hash: E83129B1E002295FEB209F6ACD409EF7766AF8471CB198938E81557B40EB31DD15C7A1

Function 6C848C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C848C7C

Part of subcall function 6C8E9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DC6
Part of subcall function 6C8E9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DD1
Part of subcall function 6C8E9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8E9DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C848CB0
TlsGetValue.KERNEL32 ref: 6C848CD1
EnterCriticalSection.KERNEL32(?), ref: 6C848CE5
PR_Unlock.NSS3(?), ref: 6C848D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C848D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C848D93

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 484560e39f0057b9ef2fe58e611c39eb4b4f2f16196b32c3051112a172efbcab
Instruction ID: 45015d08b84091386214491de48dffe636bd87ca8b639f146ace654b689a3171
Opcode Fuzzy Hash: 484560e39f0057b9ef2fe58e611c39eb4b4f2f16196b32c3051112a172efbcab
Instruction Fuzzy Hash: 34318A71E02209AFD7209F68CD407AAB7B4BF15319F24493AEA19A7B50D730A924C7C1

Function 6C868500 Relevance: 10.6, APIs: 7, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C8695DC,00000000,00000000,00000000,?,6C8695DC,00000000,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C868517

Part of subcall function 6C87BE30: SECOID_FindOID_Util.NSS3(6C83311B,00000000,?,6C83311B,?), ref: 6C87BE44

PORT_NewArena_Util.NSS3(00000800,00000000,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C868585
PORT_ArenaAlloc_Util.NSS3(00000000,00000034,?,00000000,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C86859A
SEC_ASN1DecodeItem_Util.NSS3(00000000,00000000,6C94D8C4,6C8695D0,?,?,?,00000000,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C8685CC
SECOID_GetAlgorithmTag_Util.NSS3(-0000001C,?,?,?,?,?,?,?,00000000,00000000,?,6C847F4A,00000000,?,00000000,00000000), ref: 6C8685E1
PORT_FreeArena_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,00000000,00000000,?,6C847F4A,00000000,?), ref: 6C8685F4

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$AlgorithmArena_Tag_$Alloc_ArenaDecodeFindFreeItem_
String ID:
API String ID: 738345241-0
Opcode ID: 49a456ef1fff334c78d65d17da59b1c99f1f7e019f0d9c793942dffe0f1cc7fb
Instruction ID: 10a22e283f44907b7ada69398b7016cdf9f297f715ddd4116b1af257af8cdb5b
Opcode Fuzzy Hash: 49a456ef1fff334c78d65d17da59b1c99f1f7e019f0d9c793942dffe0f1cc7fb
Instruction Fuzzy Hash: EF3108A2D0111057E730851A9F98B6A2219AB1339CF551E77F81DD7FC2EB14CD544762

Function 6C834590 Relevance: 10.6, APIs: 7, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C8345B5

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C8345C9

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C8345E6
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C8345F8

Part of subcall function 6C87FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C878D2D,?,00000000,?), ref: 6C87FB85
Part of subcall function 6C87FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C87FBB1

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C834647
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C94A0F4,?), ref: 6C83468C
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C8346A1

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpymemset
String ID:
API String ID: 1594507116-0
Opcode ID: d40cd25698c89a6e70ff0b18279b7aa25a74435917a9d51fa73eb11c8f472f75
Instruction ID: 6c6373122390695f455653373a328720c223eaa4f28aaaefe309807c82a9e485
Opcode Fuzzy Hash: d40cd25698c89a6e70ff0b18279b7aa25a74435917a9d51fa73eb11c8f472f75
Instruction Fuzzy Hash: 2A31BBB1B013245BFF205E98DD51BAB3AA49B85358F105438D909DF781FB76C80487E5

Function 6C842E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C83E728,?,00000038,?,?,00000000), ref: 6C842E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C842E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C842E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6C842E8F
PL_HashTableLookup.NSS3(?,?), ref: 6C842E9E
PR_Unlock.NSS3(?), ref: 6C842EAB
PR_Unlock.NSS3(?), ref: 6C842F0D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 1fcf20630b4e1ed6d17406df2cb6cafc5f53e20198f3bb6ec86672d002ac5083
Instruction ID: 663eb73e718ab8a31b3f362be412a251823c722bd4e1946de57edfaca31e9e47
Opcode Fuzzy Hash: 1fcf20630b4e1ed6d17406df2cb6cafc5f53e20198f3bb6ec86672d002ac5083
Instruction Fuzzy Hash: 793158B5A08119ABEB21AF68DD4487AB774FF06258B588974EC08C7B11FB31DC64C7E0

Function 6C874470 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6C837296,00000000), ref: 6C874487
EnterCriticalSection.KERNEL32(?,?,?,6C837296,00000000), ref: 6C8744A0
PR_Unlock.NSS3(?,?,?,?,6C837296,00000000), ref: 6C8744BB
SECMOD_DestroyModule.NSS3(?,?,?,?,6C837296,00000000), ref: 6C8744DA
DeleteCriticalSection.KERNEL32(?,?,?,?,6C837296,00000000), ref: 6C874530
free.MOZGLUE(?,?,?,?,?,6C837296,00000000), ref: 6C87453C
PORT_FreeArena_Util.NSS3 ref: 6C87454F

Part of subcall function 6C85CAA0: PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C83B1EE,D958E836,?,6C8751C5), ref: 6C85CAFA
Part of subcall function 6C85CAA0: PR_UnloadLibrary.NSS3(?,6C8751C5), ref: 6C85CB09

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSection$Arena_DeleteDestroyEnterFreeLibraryModuleSecureUnloadUnlockUtilValuefree
String ID:
API String ID: 3590924995-0
Opcode ID: 2d2fc0cf31e1c5565d1f607e4e5270185e47214995633a082383b6d6aed62db3
Instruction ID: 464646fc5871460d35f0b563e88672a90bca28d6d35e3073db1801a33492f7eb
Opcode Fuzzy Hash: 2d2fc0cf31e1c5565d1f607e4e5270185e47214995633a082383b6d6aed62db3
Instruction Fuzzy Hash: BB313CB4A09A118FDB20EF78C184659B7F0FF85359F150A69D89997B00E731E8A4CFE1

Function 6C88CEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6C88CD93,?), ref: 6C88CEEE

Part of subcall function 6C8814C0: TlsGetValue.KERNEL32 ref: 6C8814E0
Part of subcall function 6C8814C0: EnterCriticalSection.KERNEL32 ref: 6C8814F5
Part of subcall function 6C8814C0: PR_Unlock.NSS3 ref: 6C88150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C88CD93,?), ref: 6C88CEFC

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C88CD93,?), ref: 6C88CF0B

Part of subcall function 6C880840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8808B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C88CD93,?), ref: 6C88CF1D

Part of subcall function 6C87FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C878D2D,?,00000000,?), ref: 6C87FB85
Part of subcall function 6C87FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C87FBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C88CD93,?), ref: 6C88CF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C88CD93,?), ref: 6C88CF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6C88CD93,?,?,?,?,?,?,?,?,?,?,?,6C88CD93,?), ref: 6C88CF78

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 8fcec8d1e43beb1428fe2d3d262b21c9c52957351c0be5a92a03adf5246cc2c4
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: B211E7B1E022045BF730AA6A7E41B6B75EC9F5424DF104939EC09D7F46FBA0D90886B1

Function 6C838C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C838C1B
EnterCriticalSection.KERNEL32 ref: 6C838C34
PL_ArenaAllocate.NSS3 ref: 6C838C65
PR_Unlock.NSS3 ref: 6C838C9C
PR_Unlock.NSS3 ref: 6C838CB6

Part of subcall function 6C8CDD70: TlsGetValue.KERNEL32 ref: 6C8CDD8C
Part of subcall function 6C8CDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C8CDDB4

Strings

KRAM, xrefs: 6C838C8F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: 037221b63e593fd472275533254914e020a36815433431255c85574d0df92db2
Instruction ID: a64ede4428b98e6dab416bba139c71079d272b45437cdff89d0943bf2ca21f51
Opcode Fuzzy Hash: 037221b63e593fd472275533254914e020a36815433431255c85574d0df92db2
Instruction Fuzzy Hash: 60219EB1A056118FD710AFB8C584559BBF0FF45304F06AD6AD888CB701DB35D886CBD2

Function 6C8CA540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6C8CA390: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8CA415

PK11_ExtractKeyValue.NSS3(00000000), ref: 6C8CA5AC
memcpy.VCRUNTIME140(?,?,?), ref: 6C8CA5BF
PK11_FreeSymKey.NSS3(00000000), ref: 6C8CA5C8

Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE10
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE24
Part of subcall function 6C86ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C84D079,00000000,00000001), ref: 6C86AE5A
Part of subcall function 6C86ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE6F
Part of subcall function 6C86ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE7F
Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEB1
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEC9

PK11_FreeSymKey.NSS3(00000000), ref: 6C8CA5D9
PR_SetError.NSS3(FFFFD04C,00000000), ref: 6C8CA5E8

Strings

*@, xrefs: 6C8CA589

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_Value$CriticalEnterErrorFreeSection$ExtractUnlockfreememcpymemset
String ID: *@
API String ID: 2660593509-1483644743
Opcode ID: 9327acd592a3f2cd043bd802f33a674a0d7e0db6d281646226cd3078054f8db0
Instruction ID: 17f489677da0421933480fb75f061e9792b0d338c3a5f5c58af1b36efbe4e6fe
Opcode Fuzzy Hash: 9327acd592a3f2cd043bd802f33a674a0d7e0db6d281646226cd3078054f8db0
Instruction Fuzzy Hash: 1921F3B1D042189BC7109F69DE016EFBBB4AF9971CF014628EC5823740E735E6488BD3

Function 6C932C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C932CA0
PR_ExitMonitor.NSS3 ref: 6C932CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C932CD1
strdup.MOZGLUE(?), ref: 6C932CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C932D27

Strings

Loaded library %s (static lib), xrefs: 6C932D22

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: c931466cd675fc25830deea1c5abcb9dc8c3987bf834671b85a1ec676008d2db
Instruction ID: dd2591d57c1aea6012fcb09daa4df36367bfa4c3fe5cfe70d5388c04a6e909ad
Opcode Fuzzy Hash: c931466cd675fc25830deea1c5abcb9dc8c3987bf834671b85a1ec676008d2db
Instruction Fuzzy Hash: 1311E6B16066609FEB118F19D848AA677B8AB8730DF24893DD81DC7B42D731D808CBE1

Function 6C880FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016

Part of subcall function 6C8E98D0: calloc.MOZGLUE(00000001,00000084,6C810936,00000001,?,6C81102C), ref: 6C8E98E5

PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B
TlsGetValue.KERNEL32(00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881044
free.MOZGLUE(00000000,?,00000800,6C81EF74,00000000), ref: 6C881064

Strings

security, xrefs: 6C881025

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: calloc$ArenaInitLockPoolValuefree
String ID: security
API String ID: 3379159031-3315324353
Opcode ID: a2db5b11997eebdbf28539b4dfb14a944b5b646198926904c9d8542529bb7cc4
Instruction ID: 2cf21c5abbe41d6840128e5b82404fc58a3b187d633ef81c5bca4d4d7a2d3a40
Opcode Fuzzy Hash: a2db5b11997eebdbf28539b4dfb14a944b5b646198926904c9d8542529bb7cc4
Instruction Fuzzy Hash: 09016B70A4626497E7312F3D8E04B963AA8BF03749F100D25E82897E51EF71C154DBE1

Function 6C8B0570 Relevance: 10.5, APIs: 7, Instructions: 47COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C89C89B,FFFFFE80,?,6C89C89B), ref: 6C8B058B
free.MOZGLUE(?,?,6C89C89B), ref: 6C8B0592
PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C89C89B), ref: 6C8B05AE
PR_SetError.NSS3(FFFFE09A,00000000,FFFFFE80,?,6C89C89B), ref: 6C8B05C2
DeleteCriticalSection.KERNEL32(6C89C89B,?,6C89C89B), ref: 6C8B05D8
free.MOZGLUE(?,?,6C89C89B), ref: 6C8B05DF
PR_SetError.NSS3(FFFFE09A,00000000,?,6C89C89B), ref: 6C8B05FB

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$CriticalDeleteSectionfree$Value
String ID:
API String ID: 1757055810-0
Opcode ID: e82393be786671dcda2366ffde1cb2290e0ec25dfeaa2887cbc59e9b20886e08
Instruction ID: 6e582d6ee4deab89ce6bd083eb798ebc7422efdcf4c0cbdff055b56cc63fb79a
Opcode Fuzzy Hash: e82393be786671dcda2366ffde1cb2290e0ec25dfeaa2887cbc59e9b20886e08
Instruction Fuzzy Hash: 9901F5B1B0FA605BEF31AFA49F0D7497B785B07709F200820E50673F81D374A11983A6

Function 6C878780 Relevance: 10.5, APIs: 7, Instructions: 44COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,?,6C82518F,?,-00000001,?,6C8261C4,?,6C825FA7), ref: 6C878790
DeleteCriticalSection.KERNEL32(?,?,?,?,6C82518F,?,-00000001,?,6C8261C4,?,6C825FA7), ref: 6C8787AB
free.MOZGLUE(?,?,6C82518F,?,-00000001,?,6C8261C4,?,6C825FA7), ref: 6C8787B2
DeleteCriticalSection.KERNEL32(0000000D,?,?,?,6C82518F,?,-00000001,?,6C8261C4,?,6C825FA7), ref: 6C8787CD
free.MOZGLUE(00000001,?,6C82518F,?,-00000001,?,6C8261C4,?,6C825FA7), ref: 6C8787D4
DeleteCriticalSection.KERNEL32(?,?,?,?,6C82518F,?,-00000001,?,6C8261C4,?,6C825FA7), ref: 6C8787E7
free.MOZGLUE(?,?,6C82518F,?,-00000001,?,6C8261C4,?,6C825FA7), ref: 6C8787EE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: e23a330490fc3b60ddf994cc887ad027cfa7f068e99fba4de8fa105b6109042b
Instruction ID: 95d11a9dfe8ad05e688fe594f03bc8cb352e989a27d52711c18e045323860aa3
Opcode Fuzzy Hash: e23a330490fc3b60ddf994cc887ad027cfa7f068e99fba4de8fa105b6109042b
Instruction Fuzzy Hash: 8801B5B5606A159BCF21EF64C80885B77B8BF466A13200629F42B93A40E735F011CBF5

Function 6C8C2E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8C3046

Part of subcall function 6C8AEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8AEE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C897FFB), ref: 6C8C312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C8C3154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C8C2E8B

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

Part of subcall function 6C8AF110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C899BFF,?,00000000,00000000), ref: 6C8AF134

memcpy.VCRUNTIME140(8B3C75C0,?,6C897FFA), ref: 6C8C2EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8C317B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID:
API String ID: 2334702667-0
Opcode ID: 30e2e43e6ad50e929abfe20adc5c3892d89ce2057e42756125e1e9c6e9108ed7
Instruction ID: 5e0d331e5d2bc75b0990927a07a55ffb3b5f1020b1879af203912d0affcefee1
Opcode Fuzzy Hash: 30e2e43e6ad50e929abfe20adc5c3892d89ce2057e42756125e1e9c6e9108ed7
Instruction Fuzzy Hash: BBA1BF71A002189FDB34CF58CC84BEAB7B5EF45308F048599E94967781E735AD45CFA2

Function 6C88ED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C88ED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C88EDCE

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

free.MOZGLUE(00000000,?,?,?,?,6C88B04F), ref: 6C88EE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C88EECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C88EEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C88EEFB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: cd07ea2d2e3af5cbb246841af0e1ba4154cbb15f24fde48fd398aae1858437af
Instruction ID: 3b024825fa19c945ea546de71fc494aa4a11b6ecca6cdf4a6a32e61df864faac
Opcode Fuzzy Hash: cd07ea2d2e3af5cbb246841af0e1ba4154cbb15f24fde48fd398aae1858437af
Instruction Fuzzy Hash: DD8161B9A022059FEB24CF59DE84BAB77F5FF49308F144828E81597B51D730E814CBA1

Function 6C88CCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C88C6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C88DAE2,?), ref: 6C88C6C2

PR_Now.NSS3 ref: 6C88CD35

Part of subcall function 6C8E9DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DC6
Part of subcall function 6C8E9DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C930A27), ref: 6C8E9DD1
Part of subcall function 6C8E9DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8E9DED

Part of subcall function 6C876C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C821C6F,00000000,00000004,?,?), ref: 6C876C3F

PR_GetCurrentThread.NSS3 ref: 6C88CD54

Part of subcall function 6C8E9BF0: TlsGetValue.KERNEL32(?,?,?,6C930A75), ref: 6C8E9C07

Part of subcall function 6C877260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C821CCC,00000000,00000000,?,?), ref: 6C87729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C88CD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C88CE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C88CE2C

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C88CE40

Part of subcall function 6C8814C0: TlsGetValue.KERNEL32 ref: 6C8814E0
Part of subcall function 6C8814C0: EnterCriticalSection.KERNEL32 ref: 6C8814F5
Part of subcall function 6C8814C0: PR_Unlock.NSS3 ref: 6C88150D

Part of subcall function 6C88CEE0: PORT_ArenaMark_Util.NSS3(?,6C88CD93,?), ref: 6C88CEEE
Part of subcall function 6C88CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C88CD93,?), ref: 6C88CEFC
Part of subcall function 6C88CEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C88CD93,?), ref: 6C88CF0B
Part of subcall function 6C88CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C88CD93,?), ref: 6C88CF1D

Part of subcall function 6C88CEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C88CD93,?), ref: 6C88CF47
Part of subcall function 6C88CEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C88CD93,?), ref: 6C88CF67
Part of subcall function 6C88CEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C88CD93,?,?,?,?,?,?,?,?,?,?,?,6C88CD93,?), ref: 6C88CF78

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 15f78e48e404adb749eeee5fabcbf3ed7ce11e1c001e4151a344f347eba9cb2e
Instruction ID: 09514e8d02916aa75ea304a9c69cb8f9b1291f7ed394eadd3accfc3a8bfe345d
Opcode Fuzzy Hash: 15f78e48e404adb749eeee5fabcbf3ed7ce11e1c001e4151a344f347eba9cb2e
Instruction Fuzzy Hash: 5C51D672A021049BE730DF69DE40B9A77E4EF48348F250A34D85497F46EB31E904CBA1

Function 6C8866C0 Relevance: 9.1, APIs: 6, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C8866DF

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000168), ref: 6C8866F9

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

memset.VCRUNTIME140(00000000,00000000,00000168), ref: 6C886728
PK11_GetInternalKeySlot.NSS3 ref: 6C886788
NSS_OptionGet.NSS3(0000000C,00000000), ref: 6C8867AD
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C8867C1

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaUtil$Arena_Value$Alloc_AllocateCriticalEnterFreeInitInternalK11_LockOptionPoolSectionSlotUnlockcallocmemset
String ID:
API String ID: 3227582682-0
Opcode ID: db5cc4ced2cf5bbe6ce72d528f48156e82371d8994d3e6fe36ceaa2e38df3233
Instruction ID: f240b17d23dee10a04c95897380fee7975a43c767bb2bd2289c89830a610f577
Opcode Fuzzy Hash: db5cc4ced2cf5bbe6ce72d528f48156e82371d8994d3e6fe36ceaa2e38df3233
Instruction Fuzzy Hash: 565118B0D112188BDF20DF59CA817DA7BF4AB09704F04467AEC08EBB45E770D9448BE1

Function 6C85EEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C85EF38

Part of subcall function 6C849520: PK11_IsLoggedIn.NSS3(00000000,?,6C87379E,?,00000001,?), ref: 6C849542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C85EF53

Part of subcall function 6C864C20: TlsGetValue.KERNEL32 ref: 6C864C4C
Part of subcall function 6C864C20: EnterCriticalSection.KERNEL32(?), ref: 6C864C60
Part of subcall function 6C864C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C864CA1
Part of subcall function 6C864C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C864CBE
Part of subcall function 6C864C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C864CD2
Part of subcall function 6C864C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C864D3A

PR_GetCurrentThread.NSS3 ref: 6C85EF9E

Part of subcall function 6C8E9BF0: TlsGetValue.KERNEL32(?,?,?,6C930A75), ref: 6C8E9C07

free.MOZGLUE(00000000), ref: 6C85EFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C85F016
free.MOZGLUE(00000000), ref: 6C85F022

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: 4b7c2c1820cc0866af31db7177495cab9fccc43247ca89e44a416124a887eb05
Instruction ID: a55d937a657577f356dccbb2015d931711f3a1eb28080a56087f061ca8143818
Opcode Fuzzy Hash: 4b7c2c1820cc0866af31db7177495cab9fccc43247ca89e44a416124a887eb05
Instruction Fuzzy Hash: B441A271E00209ABDF118FA9DD45BEF7BB9AF48348F544435F904A7350E772C9258BA1

Function 6C8C2640 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,8B7874C0,?,?,?,00000000,?,?,?,6C8999E8,00000000,00000000,?,?,?,?), ref: 6C8C267E
memset.VCRUNTIME140(00000000,00000000,?,?,?,00000000,?,?,?,6C8999E8,00000000,00000000,?,?,?,?), ref: 6C8C269D
memcpy.VCRUNTIME140(00000000,8B7874C0,?,?,?,?,?,?,00000000,?,?,?,6C8999E8,00000000,00000000,?), ref: 6C8C26AC
PK11_AEADOp.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,6C8999E8), ref: 6C8C2714
PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,?,?,?,6C8999E8,00000000,00000000,?,?,?,?,?), ref: 6C8C2737
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8C2750

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memcpy$ErrorK11_memset
String ID:
API String ID: 2328202073-0
Opcode ID: 0bfcca08d51740dff86605e240a58fd95a5177df0b22d39657304922702e478e
Instruction ID: 2e9d6aaf808a618d710e8e04f4ff61bca4e7ec29abb9a2dfc07c6e6e80cbd13d
Opcode Fuzzy Hash: 0bfcca08d51740dff86605e240a58fd95a5177df0b22d39657304922702e478e
Instruction Fuzzy Hash: 24418A32A00118AFCF248FA8CC84EEE77B5AF98308F554128F91967650D731EC54CBA1

Function 6C890720 Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(6C89175E,6C89175E,?,?,6C892F23,6C89175E,00000000,?,6C89175E,00000000), ref: 6C890738

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

NSS_CMSSignedData_Destroy.NSS3(5304C483,6C89175E,?,?,6C892F23,6C89175E,00000000,?,6C89175E,00000000), ref: 6C89075C

Part of subcall function 6C893630: CERT_DestroyCertificate.NSS3(6C89175E,?,6C89175E,?,00000000,?,6C890761,5304C483,6C89175E,?,?,6C892F23,6C89175E,00000000,?,6C89175E), ref: 6C893661
Part of subcall function 6C893630: CERT_DestroyCertificate.NSS3(6C89175E,?,6C89175E,?,00000000,?,6C890761,5304C483,6C89175E,?,?,6C892F23,6C89175E,00000000,?,6C89175E), ref: 6C893681
Part of subcall function 6C893630: PORT_FreeArena_Util.NSS3(6C97CA90,00000000,?,6C89175E,?,00000000,?,6C890761,5304C483,6C89175E,?,?,6C892F23,6C89175E,00000000), ref: 6C8936A5

PORT_ArenaUnmark_Util.NSS3(?,5304C483,6C89175E,?,?,6C892F23,6C89175E,00000000,?,6C89175E,00000000), ref: 6C890794
free.MOZGLUE(850C478B,6C89175E,00000000), ref: 6C8907D0
PK11_FreeSymKey.NSS3(890473C1,6C89175E,00000000), ref: 6C8907E8

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: DestroyUtil$CertificateErrorFreeHashLookupTable$ArenaArena_ConstData_FindK11_SignedUnmark_free
String ID:
API String ID: 4228047643-0
Opcode ID: f0a88c5e156396083ff6e45dd5a8b2a2101accfdeb454c6e566226b232a70272
Instruction ID: 6ea06b42f5bc5bd9f639917f3ef086441b617bd1e5693cedaf72f13ffea621a8
Opcode Fuzzy Hash: f0a88c5e156396083ff6e45dd5a8b2a2101accfdeb454c6e566226b232a70272
Instruction Fuzzy Hash: 3131ECB6B02655ABEB308A6D9E4071377A97F86728F154D34D82997F00E732F4148BD2

Function 6C83E400 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C843F23,?), ref: 6C83E432
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C83E44F

Part of subcall function 6C842C40: TlsGetValue.KERNEL32(6C843F23,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C62
Part of subcall function 6C842C40: EnterCriticalSection.KERNEL32(0000001C,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C76
Part of subcall function 6C842C40: PL_HashTableLookup.NSS3(00000000,?,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C86
Part of subcall function 6C842C40: PR_Unlock.NSS3(00000000,?,?,?,?,6C83E477,?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C842C93

TlsGetValue.KERNEL32(?,00000001,00000000,?,?,6C843F23,?), ref: 6C83E494
EnterCriticalSection.KERNEL32(?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C83E4AD
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C83E4D6
PR_Unlock.NSS3(?,?,?,00000001,00000000,?,?,6C843F23,?), ref: 6C83E52F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: cbd67d4c8e3f8ce4c1804e664fce8f3ae6f054286fb975e5597ef8e04ce063a8
Instruction ID: 2780d54d6bfad1332d6dee9cfc2c8d167cec479139a0aa7c7e82a5de732e5b8a
Opcode Fuzzy Hash: cbd67d4c8e3f8ce4c1804e664fce8f3ae6f054286fb975e5597ef8e04ce063a8
Instruction Fuzzy Hash: B34130B4A05625CFCB20EFACD68455ABBF0FF05304B156D69D8989B711E730E844CBE2

Function 6C84CF40 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000060), ref: 6C84CF80
SECITEM_DupItem_Util.NSS3(?), ref: 6C84D002
PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6C84D016
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C84D025
PR_NewLock.NSS3 ref: 6C84D043
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C84D074

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
String ID:
API String ID: 3361105336-0
Opcode ID: cb571fbec6c6b0dddafaef1b456515831ac1238b3a2f9a6dfde663650fc65180
Instruction ID: 8229a5566f04b921f8321c74518b80bcacbc747798634675a1d57e59fa3dad52
Opcode Fuzzy Hash: cb571fbec6c6b0dddafaef1b456515831ac1238b3a2f9a6dfde663650fc65180
Instruction Fuzzy Hash: 974187B0A013198FDB20DF29CA847967BE4AF04319F10C96ADC198F746E774D485CB91

Function 6C8365D0 Relevance: 9.1, APIs: 6, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(-00000007), ref: 6C83660F

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

free.MOZGLUE(00000000), ref: 6C836660
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C83667B
SGN_DecodeDigestInfo.NSS3(?), ref: 6C83669B
SECOID_GetAlgorithmTag_Util.NSS3(-00000004), ref: 6C8366B0
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C8366C8

Part of subcall function 6C8625D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C83662E,?,?), ref: 6C862670
Part of subcall function 6C8625D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,-00000001,?,?,?,6C83662E,?), ref: 6C862684
Part of subcall function 6C8625D0: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8626C2
Part of subcall function 6C8625D0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,?), ref: 6C8626E0
Part of subcall function 6C8625D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000001), ref: 6C8626F4
Part of subcall function 6C8625D0: PR_Unlock.NSS3(?), ref: 6C86274D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: UtilValue$CriticalEnterSectionUnlock$AlgorithmAlloc_Arena_DecodeDigestErrorFreeInfoTag_freemalloc
String ID:
API String ID: 2025608128-0
Opcode ID: 0483158f24351c2db81b52a9815f243892e7f587985c0d0316223ed82c548192
Instruction ID: 9435d54f0612f5d960a11573e2b7adde98a55f2a9c820b7b4bd851a2d67d84a1
Opcode Fuzzy Hash: 0483158f24351c2db81b52a9815f243892e7f587985c0d0316223ed82c548192
Instruction Fuzzy Hash: 7A3150B5A012299BDB21CFACD981AAEB7B4BF49258F101438ED19E7700F735D904CBE1

Function 6C832E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C822D1A), ref: 6C832E7E

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

PR_Now.NSS3 ref: 6C832EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C832EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C822D1A), ref: 6C832F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C822D1A), ref: 6C832F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C832F81

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: 0a5c39b0c6ce5cfc533128bb14bf67120e0d33c63ee92f3954564ec13f91a83f
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: 8B3134715011288AE730C699DE88BBE7265EF81318F243D79C01D97AD2EB3D988AC6D1

Function 6C820E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6C820A2C), ref: 6C820E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C820A2C), ref: 6C820E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C820A2C), ref: 6C820E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6C820A2C), ref: 6C820E90
free.MOZGLUE(00000000), ref: 6C820EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C820A2C), ref: 6C820ED9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 847af401e56931891be2819d3b4c1bb13694de507371866af6a99e8c4b84c935
Instruction ID: a712377024d72109f1e67c14ca7e683944ea17532978259031a2f43bfa6ad387
Opcode Fuzzy Hash: 847af401e56931891be2819d3b4c1bb13694de507371866af6a99e8c4b84c935
Instruction Fuzzy Hash: 892161BAE0028847EB3045695E5DB6B76AEDBC1708F150C35D81C57A01FB68C8D482E2

Function 6C82AE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C82AEB3
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C82AECA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C82AEDD
PR_SetError.NSS3(FFFFE022,00000000), ref: 6C82AF02
SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C949500), ref: 6C82AF23

Part of subcall function 6C87F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C87F0C8
Part of subcall function 6C87F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C87F122

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C82AF37

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
String ID:
API String ID: 3714604333-0
Opcode ID: 44f3b22dec195047064207efce774480bed474713c589e1ab2cff9420a1ae3bc
Instruction ID: 12f8910cfdae029df2b4fa81ca62e19c8a88fc9520ffda62ccdbbaa651729a50
Opcode Fuzzy Hash: 44f3b22dec195047064207efce774480bed474713c589e1ab2cff9420a1ae3bc
Instruction Fuzzy Hash: 3D2148759092009BE7308F188E41BDA77E4AF8572CF144B29EC149B7C1E739D54587E3

Function 6C8AEE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8AEE85
realloc.MOZGLUE(3A2AAD3E,?), ref: 6C8AEEAE
PORT_Alloc_Util.NSS3(?), ref: 6C8AEEC5

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

htonl.WSOCK32(?), ref: 6C8AEEE3
htonl.WSOCK32(00000000,?), ref: 6C8AEEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C8AEF01

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 1351805024-0
Opcode ID: 44dfc6c3d15230d6ca28cfb0728f615d0e41c4564aa4fc2690f17d3eabd7d9a3
Instruction ID: b973b95db9f99d8826655c706dbb8b34a2181e5aba72de793433eec8e658c0ff
Opcode Fuzzy Hash: 44dfc6c3d15230d6ca28cfb0728f615d0e41c4564aa4fc2690f17d3eabd7d9a3
Instruction Fuzzy Hash: 9E212731A002249FCF209F68CD8079AB7A4EF49358F148938EC099B741E330EC25CBE6

Function 6C882550 Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6C882576
PORT_Alloc_Util.NSS3(00000000), ref: 6C882585

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6C8825A1
_waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 6C8825AF
free.MOZGLUE(00000000), ref: 6C8825BB
free.MOZGLUE(00000000), ref: 6C8825CA

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ByteCharMultiWidefree$Alloc_UtilValue_waccessmalloc
String ID:
API String ID: 3520324648-0
Opcode ID: 98d182e87354bcf23f74eac29bd9e659757eb84c7ec32ef7a0b53791aa34d0bd
Instruction ID: 74bbc0b6cd93e21a810af9f96ff5ad0890bcaded6df47483248c9fc91ef27d70
Opcode Fuzzy Hash: 98d182e87354bcf23f74eac29bd9e659757eb84c7ec32ef7a0b53791aa34d0bd
Instruction Fuzzy Hash: B60128B174B2117BFF2026799D19E37355CDB426A6B240A30FC19C9AC2E964CC4086F1

Function 6C9386C0 Relevance: 9.1, APIs: 6, Instructions: 54threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C9386DE

Part of subcall function 6C810F00: PR_GetPageSize.NSS3(6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F1B
Part of subcall function 6C810F00: PR_NewLogModule.NSS3(clock,6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F25

PR_Lock.NSS3 ref: 6C938700

Part of subcall function 6C8E9BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C811A48), ref: 6C8E9BB3
Part of subcall function 6C8E9BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C811A48), ref: 6C8E9BC8

getprotobyname.WSOCK32(?), ref: 6C938709
GetLastError.KERNEL32(?), ref: 6C938717
PR_GetCurrentThread.NSS3(?,?), ref: 6C93871F
PR_Unlock.NSS3(?,?), ref: 6C93873A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CurrentThread$CriticalEnterErrorLastLockModulePageSectionSizeUnlockValuegetprotobyname
String ID:
API String ID: 2388724134-0
Opcode ID: 709b7b02c8d440091ea5ab0b56f16555c8bc882243bb1ff08ba1dd9b26f4de9c
Instruction ID: 4ad344048d4d31d749893b24ae07c49c33d77199375cd66ce0f95166b57728aa
Opcode Fuzzy Hash: 709b7b02c8d440091ea5ab0b56f16555c8bc882243bb1ff08ba1dd9b26f4de9c
Instruction Fuzzy Hash: F011E5B2E181309BCB146F799D0458A3669EB46738F150777EC0997BA1C770C805CBD9

Function 6C80C4E0 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C80C4F0
free.MOZGLUE ref: 6C80C51A
TlsSetValue.KERNEL32 ref: 6C80C540
free.MOZGLUE ref: 6C80C557
DeleteCriticalSection.KERNEL32 ref: 6C80C56A
free.MOZGLUE ref: 6C80C576

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$Value$CriticalDeleteSection
String ID:
API String ID: 195087141-0
Opcode ID: 5c182cdcddf475a3979c3a3142c2cf3e15485c277852c2b1621bd829a64e93bf
Instruction ID: 7598829b913f0a9dc81fd8ab0fea16245045bb4cb9083ad12d9cd363738e71a3
Opcode Fuzzy Hash: 5c182cdcddf475a3979c3a3142c2cf3e15485c277852c2b1621bd829a64e93bf
Instruction Fuzzy Hash: 4F112E74609B118BDB21BF7DC54825EBBF4BF46745F150E2DE8DA87A01EB309054CB92

Function 6C82E520 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(00000000,?,?,6C837F5D,00000000,00000000,?,?,?,6C8380DD), ref: 6C82E532

Part of subcall function 6C8E9090: TlsGetValue.KERNEL32 ref: 6C8E90AB
Part of subcall function 6C8E9090: TlsGetValue.KERNEL32 ref: 6C8E90C9
Part of subcall function 6C8E9090: EnterCriticalSection.KERNEL32 ref: 6C8E90E5
Part of subcall function 6C8E9090: TlsGetValue.KERNEL32 ref: 6C8E9116
Part of subcall function 6C8E9090: LeaveCriticalSection.KERNEL32 ref: 6C8E913F

PR_EnterMonitor.NSS3(6C8380DD), ref: 6C82E549

Part of subcall function 6C8E9090: LeaveCriticalSection.KERNEL32 ref: 6C8E91AA
Part of subcall function 6C8E9090: TlsGetValue.KERNEL32 ref: 6C8E9212
Part of subcall function 6C8E9090: _PR_MD_WAIT_CV.NSS3 ref: 6C8E926B

PR_ExitMonitor.NSS3 ref: 6C82E56D
PL_HashTableDestroy.NSS3 ref: 6C82E57B

Part of subcall function 6C82E190: PR_EnterMonitor.NSS3(?,?,6C82E175), ref: 6C82E19C
Part of subcall function 6C82E190: PR_EnterMonitor.NSS3(6C82E175), ref: 6C82E1AA
Part of subcall function 6C82E190: PR_ExitMonitor.NSS3 ref: 6C82E208
Part of subcall function 6C82E190: PL_HashTableRemove.NSS3(?), ref: 6C82E219
Part of subcall function 6C82E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C82E231
Part of subcall function 6C82E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C82E249
Part of subcall function 6C82E190: PR_ExitMonitor.NSS3 ref: 6C82E257

PR_ExitMonitor.NSS3(6C8380DD), ref: 6C82E5B5
PR_DestroyMonitor.NSS3 ref: 6C82E5C3

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Monitor$Enter$ExitValue$CriticalSection$Arena_DestroyFreeHashLeaveTableUtil$Remove
String ID:
API String ID: 3740585915-0
Opcode ID: 1b6285fc7b59c441d9a0df9477225c48cc172eeb374b84e1304b51a5b697d95a
Instruction ID: 88482f0f7163ca4dae42919292538ae5a100df7681385c5dbe90b0473fd4a01d
Opcode Fuzzy Hash: 1b6285fc7b59c441d9a0df9477225c48cc172eeb374b84e1304b51a5b697d95a
Instruction Fuzzy Hash: 3C0161B1E2B180CBEF115B3AEA0569636B4B70724DF203C36D40683A91F771D594DBE2

Function 6C80AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C80AFDA

Strings

unable to delete/modify collation sequence due to active statements, xrefs: 6C80AF5C
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C80AFC4
%s at line %d of [%.10s], xrefs: 6C80AFD3
misuse, xrefs: 6C80AFCE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 9739f18fe80eb67db9bdc1f7004787b9f858d0d2c8fb520f411951459d802fc9
Instruction ID: e1f3f595e5d2604f5d334d8b67ac750a99494381ed7c23444630b4e0cc09eff6
Opcode Fuzzy Hash: 9739f18fe80eb67db9bdc1f7004787b9f858d0d2c8fb520f411951459d802fc9
Instruction Fuzzy Hash: E891D075B012158FDB24CF59CE94AEAB7F1AF45314F1949A8E865AB791D330EC01CB60

Function 6C7AE6D0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 194COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6C7AE81D
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010966,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,6C7ADB91,?,?), ref: 6C7AE8E7

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7AE8C5, 6C7AE8D1, 6C7AE8F9, 6C7AE905, 6C7AE911, 6C7AE91D, 6C7AE929, 6C7AE935
%s at line %d of [%.10s], xrefs: 6C7AE8E0
database corruption, xrefs: 6C7AE8DB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 3107271255-598938438
Opcode ID: d7d6095e12a035771288be6100ce98b8d11b8a482c29c2adabe1d339a25180b7
Instruction ID: 5e70f328a64c6ec89ec71994820eca789b2f1b395d7bb4cb5a706d2781041064
Opcode Fuzzy Hash: d7d6095e12a035771288be6100ce98b8d11b8a482c29c2adabe1d339a25180b7
Instruction Fuzzy Hash: 3871E071D04229DFDB05CFDEC580AEEBBF0AB59314F14466AE844BBA42D370E951CBA1

Function 6C7AE4C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108D2,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7AE53A
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000108BD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7AE5BC

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7AE525, 6C7AE596, 6C7AE5A7
%s at line %d of [%.10s], xrefs: 6C7AE534, 6C7AE5B6
database corruption, xrefs: 6C7AE52F, 6C7AE5B1

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 3f47a4db097fc39dd0b679b69c29331dff8976328199efc3fd9800acc2c0c81f
Instruction ID: 6605dd0d464c68decccb474ea880bed3237dc279a1d3a01881672da70c3fb25c
Opcode Fuzzy Hash: 3f47a4db097fc39dd0b679b69c29331dff8976328199efc3fd9800acc2c0c81f
Instruction Fuzzy Hash: 473169306007189BD311CFDDDD9096BB3A1EB81324B580A7CE888A7B85F360E85AC3E0

Function 6C8847A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

NSSUTIL_ArgGetParamValue.NSS3(?,?,slotFlags,00000000), ref: 6C8847AF

Part of subcall function 6C884120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C88413D
Part of subcall function 6C884120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C884162
Part of subcall function 6C884120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C88416B
Part of subcall function 6C884120: PL_strncasecmp.NSS3(6C884232,?,00000001), ref: 6C884187
Part of subcall function 6C884120: NSSUTIL_ArgSkipParameter.NSS3(6C884232), ref: 6C8841A0
Part of subcall function 6C884120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8841B4
Part of subcall function 6C884120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 6C8841CC
Part of subcall function 6C884120: NSSUTIL_ArgFetchValue.NSS3(6C884232,?), ref: 6C884203

PL_strcasecmp.NSS3(00000000,all,?,?,slotFlags,00000000), ref: 6C8847C3
PL_strncasecmp.NSS3(00000000,?,?), ref: 6C8847F0
free.MOZGLUE(?,?,?,?,?,slotFlags,00000000), ref: 6C884823

Strings

all, xrefs: 6C8847BD

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: L_strncasecmp$Valuestrlen$FetchL_strcasecmpParamParameterSkipfreeisspacestrcpy
String ID: all
API String ID: 1061888981-991457757
Opcode ID: a94a2c375d6623c8d3015531084929df32800bc8e08ebcbb70af41688549e50a
Instruction ID: 5604d0f7234f12a1f2505feb86dea9ad0dd55743ad1fad5a078090db11764643
Opcode Fuzzy Hash: a94a2c375d6623c8d3015531084929df32800bc8e08ebcbb70af41688549e50a
Instruction Fuzzy Hash: 85116673C062A86BEF212E69AE107AA3B6DEFC734EF540831E85442D02E3728515C791

Function 6C810DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C810BDE), ref: 6C810DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C810BDE), ref: 6C810DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C810BDE), ref: 6C810DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C810BDE), ref: 6C810E32

Strings

%s incr => %d (find lib), xrefs: 6C810E2D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 23adcea333e6066aaedb3bd1b17df0772b28049ed8a626c561396478e6a972f7
Instruction ID: 5af7e58db732c1820f9cad7d78ee98c31ca7808ac91d76844c939f0dcf7d7d03
Opcode Fuzzy Hash: 23adcea333e6066aaedb3bd1b17df0772b28049ed8a626c561396478e6a972f7
Instruction Fuzzy Hash: 160124727042249FEB208F259C45E1773ECDF46A0AB15482DE909D3E41E761EC2487E1

Function 6C86C590 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C86C5C7
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C86C603
PK11_DoesMechanism.NSS3(?,?,?,?), ref: 6C86C636
PK11_FreeSymKey.NSS3(?), ref: 6C86C6D7
PK11_FreeSymKey.NSS3(?), ref: 6C86C6E1

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$DoesMechanism$Free
String ID:
API String ID: 3860933388-0
Opcode ID: 6d81726e3ab183d68edd3878b6b6f54ce5b0d877dcfdfe7a562d44ab194602df
Instruction ID: deade1611cb029c1548ad44977b48d2addddd118aec41660084394ca6c6ac35e
Opcode Fuzzy Hash: 6d81726e3ab183d68edd3878b6b6f54ce5b0d877dcfdfe7a562d44ab194602df
Instruction Fuzzy Hash: DD41A1B560120AAFDF219F6ADD809AB77A9EF18248B104838FC14D7B11E731DC25CBA1

Function 6C8667D0 Relevance: 7.6, APIs: 5, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8661F0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(70E85609,6C85C79F,6C86781D,?,6C85BD52,00000001,70E85609,D85D8B04,?,?), ref: 6C866207
Part of subcall function 6C8661F0: PORT_Alloc_Util.NSS3(-00000002,?,6C85C79F,6C86781D,?,6C85BD52,00000001,70E85609,D85D8B04,?,?), ref: 6C866216
Part of subcall function 6C8661F0: NSSUTIL_ArgStrip.NSS3(70E85609,?,?,6C85C79F,6C86781D,?,6C85BD52,00000001,70E85609,D85D8B04,?,?), ref: 6C866242
Part of subcall function 6C8661F0: memcpy.VCRUNTIME140(00000000,70E85609,00000000,?,?,?,6C85C79F,6C86781D,?,6C85BD52,00000001,70E85609,D85D8B04,?,?), ref: 6C86625A
Part of subcall function 6C8661F0: PL_strncasecmp.NSS3(00000000,tokens=,00000007), ref: 6C866289
Part of subcall function 6C8661F0: PL_strncasecmp.NSS3(00000000,cryptoTokenDescription=,00000017), ref: 6C86629D
Part of subcall function 6C8661F0: free.MOZGLUE(6C86781D), ref: 6C8662B4
Part of subcall function 6C8661F0: NSSUTIL_ArgFetchValue.NSS3(00000017,?), ref: 6C8662BF
Part of subcall function 6C8661F0: PL_strncasecmp.NSS3(?,cryptoSlotDescription=,00000016), ref: 6C866304
Part of subcall function 6C8661F0: free.MOZGLUE(6C86781D), ref: 6C86631B
Part of subcall function 6C8661F0: NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C866326

PORT_Alloc_Util.NSS3(00000001,?,?,?,?,?,00000000,6C85C79F,6C86781D,?,6C85BD84,?,00000000,00000000), ref: 6C866834
free.MOZGLUE(6C85C79F,?,?,?,?,?,?,00000000,6C85C79F,6C86781D,?,6C85BD84,?,00000000,00000000), ref: 6C8668C2
free.MOZGLUE(6C85C79F,?,?,?,?,?,?,00000000,6C85C79F,6C86781D,?,6C85BD84,?,00000000,00000000), ref: 6C8668D3
free.MOZGLUE(6C86781D,?,?,?,?,?,?,?,00000000,6C85C79F,6C86781D,?,6C85BD84,?,00000000,00000000), ref: 6C8668E1
free.MOZGLUE(?,?,?,?,?,?,?,00000000,6C85C79F,6C86781D,?,6C85BD84,?,00000000,00000000), ref: 6C8668ED

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$L_strncasecmp$Alloc_FetchUtilValue$Stripmemcpystrlen
String ID:
API String ID: 1610830232-0
Opcode ID: 34324c864090d446bfef313983a55ff347c0abb26f43cfdc8b8bd09b069f4a6c
Instruction ID: 1a1dac16876d06f45e56d9f6ce733f0bc19daa10276f7fb5e1b7f568ab75fd61
Opcode Fuzzy Hash: 34324c864090d446bfef313983a55ff347c0abb26f43cfdc8b8bd09b069f4a6c
Instruction Fuzzy Hash: DE41BEB1E0122A8BDF14CFAAC9449AEB7B5FF48318F144539D806E7B01E731A915CBE0

Function 6C884690 Relevance: 7.6, APIs: 5, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(00000001,00000000,00000000,6C970148,?,6C8373A4,?,00000027,00000022), ref: 6C8846D9
PORT_ZAlloc_Util.NSS3(00000001,00000022), ref: 6C88473E
free.MOZGLUE(00000000,?,00000022), ref: 6C88476C
free.MOZGLUE(00000000,?,00000022), ref: 6C88477A
PORT_Strdup_Util.NSS3(6C970148,00000000,00000000,6C970148,?,6C8373A4,?,00000027,00000022), ref: 6C884788

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Alloc_free$Strdup_
String ID:
API String ID: 1542459429-0
Opcode ID: 3d7b63af541a7031b910b5140122a1c0d7e1d89596ed68472a5e726bf901dfed
Instruction ID: 5651b52aba1bc45783a5a3ef055f565f2873f33e763580cdbac0cceb7bcb8e2a
Opcode Fuzzy Hash: 3d7b63af541a7031b910b5140122a1c0d7e1d89596ed68472a5e726bf901dfed
Instruction Fuzzy Hash: 2E31072760F6C94EEF22593D1EB13E32F9E4BCB25DB1C0878D8D6C7E12D617940986A1

Function 6C8687A0 Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,00000000,00000000,00000000,00000000,?,6C8695A0), ref: 6C8687B3

Part of subcall function 6C87BE30: SECOID_FindOID_Util.NSS3(6C83311B,00000000,?,6C83311B,?), ref: 6C87BE44

PORT_NewArena_Util.NSS3(00000800,6C8695A0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C868829
PORT_ArenaAlloc_Util.NSS3(00000000,00000034,?,6C8695A0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C868842
SEC_ASN1DecodeItem_Util.NSS3(?,00000000,6C94D8C4,?,?,?,?,6C8695A0), ref: 6C868872
PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,6C8695A0), ref: 6C8688CE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena_$AlgorithmAlloc_ArenaDecodeFindFreeItem_Tag_
String ID:
API String ID: 906083512-0
Opcode ID: ca3a9b29e35e9d39ec33fbb7d49479f7f1d368da29366737b6348b73849351d8
Instruction ID: 8ac58286f6509ae6e9b069627a2397988684439c8e653f62034ce579313b55ea
Opcode Fuzzy Hash: ca3a9b29e35e9d39ec33fbb7d49479f7f1d368da29366737b6348b73849351d8
Instruction Fuzzy Hash: 16313776E4512847FB30862BAE40BAA7215FB43368F150E77E90DA7F81EB60D94487D1

Function 6C8B2460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,6C957379,00000002,?), ref: 6C8B2493
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8B24B4
PR_SetError.NSS3(FFFFE005,00000000,?,?,?,?,?,6C957379,00000002,?), ref: 6C8B24EA
PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,6C957379,00000002,?), ref: 6C8B24F5
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,6C957379,00000002,?), ref: 6C8B24FE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$Alloc_FreeK11_Utilfree
String ID:
API String ID: 2595244113-0
Opcode ID: c22e234b6d44fa0524539b01b9856da1583a4a5833547eb64cdbda24eac6cb46
Instruction ID: 01a0cc2a9829f573599399632cc5a91813913371479a315d96df1633e845ab48
Opcode Fuzzy Hash: c22e234b6d44fa0524539b01b9856da1583a4a5833547eb64cdbda24eac6cb46
Instruction Fuzzy Hash: F63127B1A00116AFEB208FA4DD05BFBB7A4EF48308F104525FD14A6B90F734D855C7A2

Function 6C8B8530 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

PR_GetIdentitiesLayer.NSS3 ref: 6C8B8549
TlsGetValue.KERNEL32 ref: 6C8B85CF
TlsGetValue.KERNEL32 ref: 6C8B85FE
TlsGetValue.KERNEL32 ref: 6C8B8629
memcpy.VCRUNTIME140 ref: 6C8B8655

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$IdentitiesLayermemcpy
String ID:
API String ID: 2311246771-0
Opcode ID: 06680efd35675396c3af1d9cd87efc42f8684d9d7e267902a23157a386358705
Instruction ID: b45e18d4ef9651aebdfa66b5010f00f3ece84ded06422de5101c26078335ad18
Opcode Fuzzy Hash: 06680efd35675396c3af1d9cd87efc42f8684d9d7e267902a23157a386358705
Instruction Fuzzy Hash: D341747060A647CBD7209F79D74876AB7B5BF47308F208E2AD89897B51D730D894CB82

Function 6C81EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C81EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6C81EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C81EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C81EEEB
free.MOZGLUE(?), ref: 6C81EEF6

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 15d384e2376b7cf8ae47f358044b3c5d9947a90a24b97598b957fd5642436fe5
Instruction ID: 993a37c40c18641c76aa96f43666cdb8299b2642eeb1e6115c37cdcdb4a19345
Opcode Fuzzy Hash: 15d384e2376b7cf8ae47f358044b3c5d9947a90a24b97598b957fd5642436fe5
Instruction Fuzzy Hash: 1731F5B1A086069BEB309F2CCD48B667BF4FB46305F240D28E85A87E50D731E814CBE1

Function 6C93A530 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C93A55C
PR_IntervalNow.NSS3 ref: 6C93A573
PR_IntervalNow.NSS3 ref: 6C93A5A5
_PR_MD_UNLOCK.NSS3(?), ref: 6C93A603

Part of subcall function 6C8E9890: TlsGetValue.KERNEL32(?,?,?,6C8E97EB), ref: 6C8E989E

_PR_MD_UNLOCK.NSS3(?), ref: 6C93A636

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Interval$CriticalEnterSectionValue
String ID:
API String ID: 959321092-0
Opcode ID: f425b9330eaa14a39e354f8bbff5c2d40b86510d78189c6c6c8182af72f0625c
Instruction ID: 84b6a52fd07bb1f18cb6bfff68fda5d08c0bc9c94f4dd50a9027d41e7cb4f54b
Opcode Fuzzy Hash: f425b9330eaa14a39e354f8bbff5c2d40b86510d78189c6c6c8182af72f0625c
Instruction Fuzzy Hash: FF3161B16016258FCB10DF69C484A9AB7F9FF49318B158575D8188BB26DB30EC84CFA0

Function 6C8486D0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C848716
TlsGetValue.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C848727
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C84873B
PR_Unlock.NSS3(?), ref: 6C84876F
PR_SetError.NSS3(00000000,00000000), ref: 6C848787

Part of subcall function 6C8479F0: memcpy.VCRUNTIME140(?,6C94AB28,000000FC), ref: 6C847A1E
Part of subcall function 6C8479F0: PR_SetError.NSS3(FFFFE001,00000000), ref: 6C847A48

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$AuthenticateCriticalEnterK11_SectionUnlockValuememcpy
String ID:
API String ID: 3710639568-0
Opcode ID: 151d7242874076de3d0b0d9e68db415649087ee26929dccdf9cd958aa8fdcf15
Instruction ID: 67734e852b330d79f4a496806ea0b9509a1c3ece90c8a23218e7e4c90608933f
Opcode Fuzzy Hash: 151d7242874076de3d0b0d9e68db415649087ee26929dccdf9cd958aa8fdcf15
Instruction Fuzzy Hash: 1E314C75A00208ABDF209F68DD40A9B7BB9EF46318F158835FD099B711EB31E904C7A1

Function 6C8244D0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3 ref: 6C8244FF

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

SECOID_FindOID_Util.NSS3(?), ref: 6C824524
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C824537
CERT_AddExtensionByOID.NSS3(00000001,?,?,?,00000001), ref: 6C824579

Part of subcall function 6C8241B0: PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C8241BE
Part of subcall function 6C8241B0: PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C8241E9
Part of subcall function 6C8241B0: SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C824227
Part of subcall function 6C8241B0: SECITEM_CopyItem_Util.NSS3(?,-00000018,?), ref: 6C82423D

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C82459C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Error$Alloc_ArenaCopyFindHashItem_LookupTable$ConstEqual_ExtensionItems
String ID:
API String ID: 3193526912-0
Opcode ID: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction ID: 6758d4879e5df7fdc5c0a75edf80f312f62455e1547f049aa8511e8ec434eec2
Opcode Fuzzy Hash: ebf86faa50ffcf2ec35f4368ae81f486fcdccb540a5d46777f353d11653d57bb
Instruction Fuzzy Hash: 0E21C7716016149BEB30CE299F4CB6737A99FC1658F140C28AC59CBA41E729E984C6F1

Function 6C82A6B0 Relevance: 7.6, APIs: 5, Instructions: 90timeCOMMON

Download Yara Rule

APIs

CERT_CheckCertValidTimes.NSS3(00000000,00000000,6C82A2FA,00000000,6C82A2FA,00000000), ref: 6C82A6E4

Part of subcall function 6C821DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C821E0B
Part of subcall function 6C821DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C821E24

TlsGetValue.KERNEL32(?,?,?,?,6C82A2FA,00000000), ref: 6C82A723
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C82A2FA,00000000), ref: 6C82A733
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C82A2FA,00000000), ref: 6C82A74C
PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,6C82A2FA,00000000), ref: 6C82A774

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Choice_DecodeTime$Arena_CertCheckCriticalEnterFreeSectionTimesUnlockValidValue
String ID:
API String ID: 2353111112-0
Opcode ID: 834b3abb957194e2ea61881022697bdaa140a097bf5775f0c590b84964c5bbf4
Instruction ID: 086ae0e3a1b8f0aebc7f31f4230f90a021e4d317472eb3b303333abc17aab96f
Opcode Fuzzy Hash: 834b3abb957194e2ea61881022697bdaa140a097bf5775f0c590b84964c5bbf4
Instruction Fuzzy Hash: DE212975A05600AFE7205E2CCE487E777B89F4B358F244C29ECE887741EB35D88486D9

Function 6C82E5E0 Relevance: 7.6, APIs: 5, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,00000000,00000000,?,6C82E755,00000000,00000004,?,?), ref: 6C82E5F5

Part of subcall function 6C8814C0: TlsGetValue.KERNEL32 ref: 6C8814E0
Part of subcall function 6C8814C0: EnterCriticalSection.KERNEL32 ref: 6C8814F5
Part of subcall function 6C8814C0: PR_Unlock.NSS3 ref: 6C88150D

PR_SetError.NSS3(FFFFE005,00000000,?), ref: 6C82E62C
SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000,?), ref: 6C82E63E

Part of subcall function 6C87F9A0: PORT_ArenaMark_Util.NSS3(?,00000000,-00000002,?,-00000002,?,6C81F379,?,00000000,-00000002), ref: 6C87F9B7

PK11_HashBuf.NSS3(?,?,?,?,?,?,?,?), ref: 6C82E65C

Part of subcall function 6C84DDD0: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C84DDEC
Part of subcall function 6C84DDD0: PK11_DigestBegin.NSS3(00000000), ref: 6C84DE70
Part of subcall function 6C84DDD0: PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C84DE83
Part of subcall function 6C84DDD0: HASH_ResultLenByOidTag.NSS3(?), ref: 6C84DE95
Part of subcall function 6C84DDD0: PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C84DEAE
Part of subcall function 6C84DDD0: PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C84DEBB

SECITEM_ZfreeItem_Util.NSS3(00000000,00000000,?), ref: 6C82E68E

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_Util$Digest$ArenaItem_Mark_$AllocBeginContextCriticalDestroyEnterErrorFinalFindHashResultSectionTag_UnlockValueZfree
String ID:
API String ID: 2865137721-0
Opcode ID: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
Instruction ID: 83909f215d73178d45b309bd779e186abc22c7854f28e82504aff434c518d505
Opcode Fuzzy Hash: a3a89b2af733e35b5063d925a0347e14bcb9d919b36c9b216162f5a6fb2f6e13
Instruction Fuzzy Hash: D2213176B022006FFB204EBADE88F6B77989F8024AF144938ED1987A51EB34DD54C3D4

Function 6C82AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C823FFF,00000000,?,?,?,?,?,6C821A1C,00000000,00000000), ref: 6C82ADA7

Part of subcall function 6C8814C0: TlsGetValue.KERNEL32 ref: 6C8814E0
Part of subcall function 6C8814C0: EnterCriticalSection.KERNEL32 ref: 6C8814F5
Part of subcall function 6C8814C0: PR_Unlock.NSS3 ref: 6C88150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C823FFF,00000000,?,?,?,?,?,6C821A1C,00000000,00000000), ref: 6C82ADB4

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C823FFF,?,?,?,?,6C823FFF,00000000,?,?,?,?,?,6C821A1C,00000000), ref: 6C82ADD5

Part of subcall function 6C87FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C878D2D,?,00000000,?), ref: 6C87FB85
Part of subcall function 6C87FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C87FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C9494B0,?,?,?,?,?,?,?,?,6C823FFF,00000000,?), ref: 6C82ADEC

Part of subcall function 6C87B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9518D0,?), ref: 6C87B095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C823FFF), ref: 6C82AE3C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: 081de0d98d877b924012439ce6c4a7a200fc74fdfa0500f9fec41bfcfcca2e5a
Instruction ID: d8ce4949410d3019e97aad628918dc917b3d34254213c8f9d2369a72bf1e3483
Opcode Fuzzy Hash: 081de0d98d877b924012439ce6c4a7a200fc74fdfa0500f9fec41bfcfcca2e5a
Instruction Fuzzy Hash: D2113F71E003055BE7309B699D44BFF73E8DF5524DF044938EC2596B41FB24E59982E2

Function 6C848E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6C862E62,?,?,?,?,?,?,?,00000000,?,?,?,6C834F1C), ref: 6C848EA2

Part of subcall function 6C86F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C86F854
Part of subcall function 6C86F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C86F868
Part of subcall function 6C86F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C86F882
Part of subcall function 6C86F820: free.MOZGLUE(04C483FF,?,?), ref: 6C86F889
Part of subcall function 6C86F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C86F8A4
Part of subcall function 6C86F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C86F8AB
Part of subcall function 6C86F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C86F8C9
Part of subcall function 6C86F820: free.MOZGLUE(280F10EC,?,?), ref: 6C86F8D0

PK11_IsLoggedIn.NSS3(?,?,?,6C862E62,?,?,?,?,?,?,?,00000000,?,?,?,6C834F1C), ref: 6C848EC3
TlsGetValue.KERNEL32(?,?,?,6C862E62,?,?,?,?,?,?,?,00000000,?,?,?,6C834F1C), ref: 6C848EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6C862E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C848EF1
PR_Unlock.NSS3 ref: 6C848F20

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID:
API String ID: 1978757487-0
Opcode ID: 1154d0e8d3b90476bf276e02588c505c0cade7a748b5941b307135c3dac7417b
Instruction ID: 2e49f0fd48bbe3ecd634dd99a4466cd1d1ac35280c9ec212124a57e65f174108
Opcode Fuzzy Hash: 1154d0e8d3b90476bf276e02588c505c0cade7a748b5941b307135c3dac7417b
Instruction Fuzzy Hash: 22217C709096099FC710AF29D684699BBF4FF49318F01896EEC98DBB40D730E854CBD2

Function 6C8826A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

_NSSUTIL_GetSecmodName.NSS3(?,?,?,?,?), ref: 6C8826DD

Part of subcall function 6C885DE0: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 6C885E08
Part of subcall function 6C885DE0: NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C885E3F
Part of subcall function 6C885DE0: PL_strncasecmp.NSS3(00000000,readOnly,00000008), ref: 6C885E5C
Part of subcall function 6C885DE0: free.MOZGLUE(00000000), ref: 6C885E7E
Part of subcall function 6C885DE0: free.MOZGLUE(00000000), ref: 6C885E97
Part of subcall function 6C885DE0: PORT_Strdup_Util.NSS3(secmod.db), ref: 6C885EA5
Part of subcall function 6C885DE0: _NSSUTIL_EvaluateConfigDir.NSS3(00000000,?,?), ref: 6C885EBB
Part of subcall function 6C885DE0: NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C885ECB
Part of subcall function 6C885DE0: PL_strncasecmp.NSS3(00000000,noModDB,00000007), ref: 6C885EF0

PR_SetError.NSS3(FFFFE0B1,00000000), ref: 6C8826F8

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

free.MOZGLUE(00000000), ref: 6C883434
free.MOZGLUE(?), ref: 6C883448
free.MOZGLUE(?), ref: 6C88345C

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$Value$L_strncasecmpParam$ConfigErrorEvaluateNameSecmodStrdup_Utilisspace
String ID:
API String ID: 3127463018-0
Opcode ID: b0c091f7c7b69ac7ddacbd6e75638095dc0755a24833d4828a1ca8c4e64b0b24
Instruction ID: 44f61a87ea5c1d01ef1f23a8b195b964809a208a4602cbb6a43f90094c87e47a
Opcode Fuzzy Hash: b0c091f7c7b69ac7ddacbd6e75638095dc0755a24833d4828a1ca8c4e64b0b24
Instruction Fuzzy Hash: 1511E4B1A011189BDF21DF58DC85ADA73B8FF02354F148878E84A97640FB31EA04CBE1

Function 6C8B04C0 Relevance: 7.6, APIs: 5, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(ED850FC0,000000FF,?,00000000,?,6C8B461B,-00000004), ref: 6C8B04DF
TlsGetValue.KERNEL32(?,00000000,?,6C8B461B,-00000004), ref: 6C8B0510
EnterCriticalSection.KERNEL32(ED850FDC), ref: 6C8B0520
PR_SetError.NSS3(FFFFE89D,00000000,?,00000000,?,6C8B461B,-00000004), ref: 6C8B0534
GetLastError.KERNEL32(?,6C8B461B,-00000004), ref: 6C8B0543

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$CriticalEnterLastObjectSectionSingleValueWait
String ID:
API String ID: 3052423345-0
Opcode ID: fe7224a69e2ad457845bdeb2255df5bcb78d6647199aed23c4484b533bfc15b3
Instruction ID: 2d0d6fcb4ba0b0d782bff22fb075d814fc1b0d534c0094fd1ba1eab58958d27e
Opcode Fuzzy Hash: fe7224a69e2ad457845bdeb2255df5bcb78d6647199aed23c4484b533bfc15b3
Instruction Fuzzy Hash: 8D11EBF1A091559BDB206B389F04B6A3764AF02319F744E25E42AF7F90EB31D544C791

Function 6C838FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON

Download Yara Rule

APIs

PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6C840710), ref: 6C838FF1
PR_CallOnce.NSS3(6C982158,6C839150,00000000,?,?,?,6C839138,?,6C840710), ref: 6C839029
calloc.MOZGLUE(00000001,00000000,?,?,6C840710), ref: 6C83904D
memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6C840710), ref: 6C839066
PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6C840710), ref: 6C839078

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: PrivateThread$CallOncecallocmemcpy
String ID:
API String ID: 1176783091-0
Opcode ID: 42738fa4463fa59ef93c12b8781835395f837aa12f92a1d10675fe533b404253
Instruction ID: 015043f49dbbfac06b5855d2fc7a0ba4be145713056a773ee2b8cd45172ff562
Opcode Fuzzy Hash: 42738fa4463fa59ef93c12b8781835395f837aa12f92a1d10675fe533b404253
Instruction Fuzzy Hash: 6411022160613157EB3016EDDD14A6A32A8EB827A8F502D31FC4CC2A40FB5ACD4583E1

Function 6C822750 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,00000000,00000000,?,?,6C88CBA2,00000000,00000000), ref: 6C822765
SECITEM_CopyItem_Util.NSS3(00000000,00000000,6C88CBEA,00000000,00000000), ref: 6C822783
CERT_CopyName.NSS3(00000000,0000000C,6C88CC4A,?,?,?,00000000,00000000), ref: 6C82279F
SECITEM_CopyItem_Util.NSS3(00000000,00000014,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8227BA
PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000), ref: 6C8227D2

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CopyUtil$Item_$Alloc_ArenaErrorNameValue
String ID:
API String ID: 325484714-0
Opcode ID: 0fc6037d220975863a667b8beee6feb332bc23505dc64b7418f85d60b42de3f2
Instruction ID: cdc16ec9a04bc6fe468e572b5dff4ef5f0f267a42e68dd7087faf3d98f97cb90
Opcode Fuzzy Hash: 0fc6037d220975863a667b8beee6feb332bc23505dc64b7418f85d60b42de3f2
Instruction Fuzzy Hash: 8B116BB6A043056FE3209A279D88FA7735CDFD525CF044A39FD0987A02FB78E58942B0

Function 6C84CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C861E10: TlsGetValue.KERNEL32 ref: 6C861E36
Part of subcall function 6C861E10: EnterCriticalSection.KERNEL32(?,?,?,6C83B1EE,2404110F,?,?), ref: 6C861E4B
Part of subcall function 6C861E10: PR_Unlock.NSS3 ref: 6C861E76

free.MOZGLUE(?,6C84D079,00000000,00000001), ref: 6C84CDA5
PK11_FreeSymKey.NSS3(?,6C84D079,00000000,00000001), ref: 6C84CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C84D079,00000000,00000001), ref: 6C84CDCF
DeleteCriticalSection.KERNEL32(?,6C84D079,00000000,00000001), ref: 6C84CDE2
free.MOZGLUE(?), ref: 6C84CDE9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 405ed7737e00d1a26d50906a2ace25c53af656720229373038bdc603be8ed5f5
Instruction ID: f4611924a7915a4c16e1744c1d0cf3f24b5a0772fa5431a2a56107581db8a169
Opcode Fuzzy Hash: 405ed7737e00d1a26d50906a2ace25c53af656720229373038bdc603be8ed5f5
Instruction Fuzzy Hash: 2D11C6B2B01125ABDF10AE65ED45E96B76CFF0425A7108931E90987E02E732E438C7E1

Function 6C8B2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C8B5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C8B5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8B2CEC

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_EnterMonitor.NSS3(?), ref: 6C8B2D02
PR_EnterMonitor.NSS3(?), ref: 6C8B2D1F
PR_ExitMonitor.NSS3(?), ref: 6C8B2D42
PR_ExitMonitor.NSS3(?), ref: 6C8B2D5B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: cc69c4c352322882a86d388b4db3e6e48d90915aa9b385cf95487fb559b2bfe9
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 0001C4F1A002046BEA319F29FD40BC7B7A1EF45319F044D35E85996720E636F919C793

Function 6C8B2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C8B5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C8B5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8B2D9C

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_EnterMonitor.NSS3(?), ref: 6C8B2DB2
PR_EnterMonitor.NSS3(?), ref: 6C8B2DCF
PR_ExitMonitor.NSS3(?), ref: 6C8B2DF2
PR_ExitMonitor.NSS3(?), ref: 6C8B2E0B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: aeedb4b53f40e08b4a61cb4f10566a9168ff3ff05aca922eada3a78f5557f432
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 0D0104F1A002046FEA309E2AFD40BC7B3A1EF46319F040C34E84996B11D632F9258693

Function 6C84AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6C833090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C84AE42), ref: 6C8330AA
Part of subcall function 6C833090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8330C7
Part of subcall function 6C833090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C8330E5
Part of subcall function 6C833090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C833116
Part of subcall function 6C833090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C83312B
Part of subcall function 6C833090: PK11_DestroyObject.NSS3(?,?), ref: 6C833154
Part of subcall function 6C833090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C83317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C8299FF,?,?,?,?,?,?,?,?,?,6C822D6B,?), ref: 6C84AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C8299FF,?,?,?,?,?,?,?,?,?,6C822D6B,?), ref: 6C84AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C822D6B,?,?,00000000), ref: 6C84AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C822D6B,?,?,00000000), ref: 6C84AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C822D6B,?,?), ref: 6C84AEA3

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: a756ab10c357a779505f68500d7bad17ced5309943c9460b9e38ec4d04182fd2
Instruction ID: 9db197e24228281f3195998c8f693a5446d966937709f3605aa8071e047a7f26
Opcode Fuzzy Hash: a756ab10c357a779505f68500d7bad17ced5309943c9460b9e38ec4d04182fd2
Instruction Fuzzy Hash: 5001D166B0412C57E731A16CAF81EEF31588B9765DF088C32E829CBB41F616D90542E2

Function 6C93ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C93A6D8), ref: 6C93AE0D
free.MOZGLUE(?), ref: 6C93AE14
DeleteCriticalSection.KERNEL32(6C93A6D8), ref: 6C93AE36
free.MOZGLUE(?), ref: 6C93AE3D
free.MOZGLUE(00000000,00000000,?,?,6C93A6D8), ref: 6C93AE47

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 05e50e95b5c9c08c087e6f2ace5f5261bbd2d735414fbd34d641d510e1a9a55d
Instruction ID: c6e121ff0d7e34e3fe7166be9fbf34e9a8685f3ebde90d14ee8858ea9a3aa756
Opcode Fuzzy Hash: 05e50e95b5c9c08c087e6f2ace5f5261bbd2d735414fbd34d641d510e1a9a55d
Instruction Fuzzy Hash: 1AF09676202A11A7CF11AFA8D80895777BCBF867757240328F52E83980D735E115C7E5

Function 6C7B6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C7B6D36

Strings

9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C7B6D20
%s at line %d of [%.10s], xrefs: 6C7B6D2F
database corruption, xrefs: 6C7B6D2A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: d36f589aa0cf57c934b9271302258f3648d294e6ba92270e5ac8fff9cae7684f
Instruction ID: 0ae4e92e3dbeb3d36f247cac4f06e1164197040ee5759adff38fd69ec1d906e3
Opcode Fuzzy Hash: d36f589aa0cf57c934b9271302258f3648d294e6ba92270e5ac8fff9cae7684f
Instruction Fuzzy Hash: 2B2136307003049BCB18CF1ACA46B5AB7F2AF80318F14462CD949ABF51E370FA49C792

Function 6C8ECC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C8ECD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C8ECC7B), ref: 6C8ECD7A
Part of subcall function 6C8ECD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C8ECD8E
Part of subcall function 6C8ECD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C8ECDA5
Part of subcall function 6C8ECD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C8ECDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C8ECCB5
memcpy.VCRUNTIME140(6C9814F4,6C9802AC,00000090), ref: 6C8ECCD3
memcpy.VCRUNTIME140(6C981588,6C9802AC,00000090), ref: 6C8ECD2B

Part of subcall function 6C809AC0: socket.WSOCK32(?,00000017,6C8099BE), ref: 6C809AE6
Part of subcall function 6C809AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C8099BE), ref: 6C809AFC

Part of subcall function 6C810590: closesocket.WSOCK32(6C809A8F,?,?,6C809A8F,00000000), ref: 6C810597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C8ECCB0

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: de8c96faf22aa6fc29c590b6c531c37ab9fc867f73d90fdf77737faed3da23b4
Instruction ID: 02e200b8db0ab59415d0e4f20be189223dd0e711427948fd0638e7f18bd68f04
Opcode Fuzzy Hash: de8c96faf22aa6fc29c590b6c531c37ab9fc867f73d90fdf77737faed3da23b4
Instruction Fuzzy Hash: AE1154F2B0A3505EDB109F69DD067823AB8A357318F242D39E52A8BBC2E775C40447D6

Function 6C860630 Relevance: 6.1, APIs: 4, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C861940: TlsGetValue.KERNEL32(00000000,00000000,?,00000001,?,6C86563C,?,?,00000000,00000001,00000002,?,?,?,?,?), ref: 6C86195C
Part of subcall function 6C861940: EnterCriticalSection.KERNEL32(?,?,6C86563C,?,?,00000000,00000001,00000002,?,?,?,?,?,6C83EAC5,00000001), ref: 6C861970
Part of subcall function 6C861940: PR_Unlock.NSS3(?,?,00000000,00000001,00000002,?,?,?,?,?,6C83EAC5,00000001,?,6C83CE9B,00000001,6C83EAC5), ref: 6C8619A0

PORT_Alloc_Util.NSS3(00000000,?,?,?,?,?,?,00000000,?,00000009), ref: 6C860678

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000009), ref: 6C8606E6
PR_SetError.NSS3(FFFFE002,00000000), ref: 6C860770

Part of subcall function 6C861EA0: PR_SetError.NSS3(FFFFE002,00000000,?,00000001,?,?,6C846295,?,00000000,00000000,00000001,6C862653,?), ref: 6C861ECB

free.MOZGLUE(?), ref: 6C860787

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$Value$Alloc_CriticalEnterSectionUnlockUtilfreemalloc
String ID:
API String ID: 1159529522-0
Opcode ID: bd2b707e8b4a50d20971668c56d8e58ef0257083e3102ed0458ea04c94a9a65d
Instruction ID: b678c5004e5cf0338fb5942b183b3573981bec1d4b7598c7174b50742f130e68
Opcode Fuzzy Hash: bd2b707e8b4a50d20971668c56d8e58ef0257083e3102ed0458ea04c94a9a65d
Instruction Fuzzy Hash: DA413BB1D002055BDB20DF6A9D80FAF7B79AF86354F140938E91997B02EB31D914CBE9

Function 6C938530 Relevance: 6.1, APIs: 4, Instructions: 127threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C9814E4,6C8ECC70), ref: 6C938569
gethostbyaddr.WSOCK32(?,00000004,00000002), ref: 6C9385AD
GetLastError.KERNEL32(?,00000004,00000002), ref: 6C9385B6
PR_GetCurrentThread.NSS3(?,00000004,00000002), ref: 6C9385C6

Part of subcall function 6C810F00: PR_GetPageSize.NSS3(6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F1B
Part of subcall function 6C810F00: PR_NewLogModule.NSS3(clock,6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F25

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CallCurrentErrorLastModuleOncePageSizeThreadgethostbyaddr
String ID:
API String ID: 4254312643-0
Opcode ID: ef53846ad18cd16631833e8635ed39d696b035d98722a320c33038617bee09a2
Instruction ID: 5f29a6469cdfcf64a360b3b901b3bf6bc320c64146e7cc307cf8f171c6819411
Opcode Fuzzy Hash: ef53846ad18cd16631833e8635ed39d696b035d98722a320c33038617bee09a2
Instruction Fuzzy Hash: 764115B0A09326ABE7188A35C844355B7B8EB4532CF08276BD81DC3AC1D774D984CBE9

Function 6C8E4FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6C7C85D2,00000000,?,?), ref: 6C8E4FFD
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8E500C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8E50C8
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8E50D6

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction ID: b58d6a8ea1235918752b2ef370685529ec3b1621c4b18d68801b712b3bd98c1f
Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction Fuzzy Hash: 524190B6A003158BCB18CF18DCD179AB7E1BF4931871D4A6DD84ACBB02E775E891CB91

Function 6C870420 Relevance: 6.1, APIs: 4, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000000,?,6C85C97F,?,?,?), ref: 6C8704BF
TlsGetValue.KERNEL32(00000000,?,6C85C97F,?,?,?), ref: 6C8704F4
EnterCriticalSection.KERNEL32(?,?,?,6C85C97F,?,?,?), ref: 6C87050D
PR_Unlock.NSS3(?,?,?,?,6C85C97F,?,?,?), ref: 6C870556

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Alloc_CriticalEnterSectionUnlockUtilValue
String ID:
API String ID: 349578545-0
Opcode ID: 747d406a66a7c7a66fe8c348a2eab1115d4ed93a8ada8215c223871c3abe403c
Instruction ID: 9824c04f3d5728ad36b3ab476a6f2def4e98900c0692ff8feece9428f780bc4a
Opcode Fuzzy Hash: 747d406a66a7c7a66fe8c348a2eab1115d4ed93a8ada8215c223871c3abe403c
Instruction Fuzzy Hash: 7841A170A05646CFDB24DF29C680669BBF4FF44308F14892DD8A99BB41E731E491CB90

Function 6C89A7B0 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 6C8AEDB0: PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C897FFA,?,6C899767,?,8B7874C0,0000A48E), ref: 6C8AEDD4

PK11_DigestOp.NSS3(?,00000000,?,?,?,?,?,?,00000004,?,6C8C1882,?,000000FE,?,?), ref: 6C89A8E3

Part of subcall function 6C84DEF0: TlsGetValue.KERNEL32 ref: 6C84DF37
Part of subcall function 6C84DEF0: EnterCriticalSection.KERNEL32(?), ref: 6C84DF4B
Part of subcall function 6C84DEF0: PR_SetError.NSS3(00000000,00000000), ref: 6C84E02B
Part of subcall function 6C84DEF0: PR_Unlock.NSS3(?), ref: 6C84E07E

PK11_DigestOp.NSS3(?,00000000,?), ref: 6C89A871

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: DigestErrorK11_$CriticalEnterSectionUnlockValue
String ID:
API String ID: 1327502718-0
Opcode ID: f04b7385c2221b14f1f8a92b8fbf0e804301bbdda105391d04ba888e2071f38d
Instruction ID: b4f3413715943f0892224c18a298bfa682cf23e6d43f1d1464aa2d281b88730c
Opcode Fuzzy Hash: f04b7385c2221b14f1f8a92b8fbf0e804301bbdda105391d04ba888e2071f38d
Instruction Fuzzy Hash: 8E31FBB2F00129ABEB20492C9D80BEB3366AB95208F188E34ED1457F41E731DC27D7D1

Function 6C826C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C826C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C826CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C826CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C948FE0), ref: 6C826CFE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: f8f22ee79562403f4949068d1b544d729529766b152c5a5485f4f455281ef9d9
Instruction ID: 9e98016f89988650e7b9e5038b3e46e3c9fad2ce2e95436e4559cea8472e6871
Opcode Fuzzy Hash: f8f22ee79562403f4949068d1b544d729529766b152c5a5485f4f455281ef9d9
Instruction Fuzzy Hash: D831BEB1A0021A9BEB18DF65C985ABFBBF5EB85248B10483DD905D7700EB359945CBE0

Function 6C934F00 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6C934F5D
free.MOZGLUE(?), ref: 6C934F74
free.MOZGLUE(?), ref: 6C934F82
GetLastError.KERNEL32 ref: 6C934F90

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$CreateErrorFileLast
String ID:
API String ID: 17951984-0
Opcode ID: b6bad89f661008c9461fe16e72cdc829ccc06fa489cc917754503670f8b5081a
Instruction ID: 96eba69f064e36aaf90c853bd84a3ab01bce23eba87bcc3ece44f4b0e220d53f
Opcode Fuzzy Hash: b6bad89f661008c9461fe16e72cdc829ccc06fa489cc917754503670f8b5081a
Instruction Fuzzy Hash: 62314B75A002294BEF01CB69DC45BDF77B8EF45348F090225EC19A7281D735D9148AA1

Function 6C896DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6C896E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C896E57

Part of subcall function 6C8CC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C8CC2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6C896E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6C896EAA

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID:
API String ID: 3163584228-0
Opcode ID: eeb0b92018b340af06b14c7a37845ed1c1624e90b6e0d2f624ebd00033112b60
Instruction ID: 8e19ae8675e9b3aa12239c84eafe9a227da27a108ab438cba3653236495e86a1
Opcode Fuzzy Hash: eeb0b92018b340af06b14c7a37845ed1c1624e90b6e0d2f624ebd00033112b60
Instruction Fuzzy Hash: 2B31B171610616EBDBB41E3CCE0439AB7A4AB0631AF340E3CD899D6A40E7307854CBC1

Function 6C888530 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,6C8872EC), ref: 6C88855A

Part of subcall function 6C8807B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF
Part of subcall function 6C8807B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
Part of subcall function 6C8807B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

PORT_ArenaGrow_Util.NSS3(?,00000000,?,00000001,?,?,6C8872EC), ref: 6C88859E
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C8872EC), ref: 6C8885B8
PR_SetError.NSS3(FFFFE005,00000000,?,6C8872EC), ref: 6C888600

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorUtil$ArenaHashLookupTable$Alloc_ConstFindGrow_
String ID:
API String ID: 1727503455-0
Opcode ID: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
Instruction ID: 61a41d2179fca219533b596859546daf001fa8368fe34754ec35666792215b61
Opcode Fuzzy Hash: c3976de85504193724a61ee596be12a747b852d478c2b9224f3d669c07c31240
Instruction Fuzzy Hash: 8B214832A022054BE7208F2DDE40B2B72A9AF8131CF654A3AD865D7FC1EB31DC06C791

Function 6C8287D0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,6C81EF74,00000000), ref: 6C8287E8

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,6C81EF74,00000000), ref: 6C8287FD

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C82884C
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C82889F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaUtil$Alloc_Arena_Value$AllocateCriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 59923426-0
Opcode ID: c4ac55ec74af02117cdcc0fbd1c3711bb8b55bdcffeff102f11dff859e85a3d8
Instruction ID: 6320462f2a0f4460fd088d844abb116a51d7833ea78153431e1db30b82cfa8d4
Opcode Fuzzy Hash: c4ac55ec74af02117cdcc0fbd1c3711bb8b55bdcffeff102f11dff859e85a3d8
Instruction Fuzzy Hash: C5316F72A012198FEB10CFA8DE44BAA77E4FF45349F14443AD9149B750EB34D648CBA1

Function 6C826420 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000,00000001,00000000,00000000,?,?,6C825DEF,?,?,?), ref: 6C826456
CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001,00000001,00000000,00000000,?,?,6C825DEF,?,?,?), ref: 6C826476
CERT_DestroyCertificate.NSS3(00000000,?,?,?,?,?,?,6C825DEF,?,?,?), ref: 6C8264A0
PR_SetError.NSS3(FFFFE020,00000000,00000001,00000000,00000000,?,?,6C825DEF,?,?,?), ref: 6C8264C2

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CertificateError$DestroyTemp
String ID:
API String ID: 3886907618-0
Opcode ID: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction ID: 98b29d975deccb4373c9bb795be6c0ebfa31f2052fee6a5937ea1ce854f3121b
Opcode Fuzzy Hash: 69f7a8026667b2e723c64be03bd8d7d7b0b57e47e95c4ffce8af3ad3ba9e6179
Instruction Fuzzy Hash: 3221E7B1A002116BEB309F28DD4DB6376E8AB40318F144E38F959C6B51E7BAD998C7D1

Function 6C864FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C86B60F,00000000), ref: 6C865003
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C86B60F,00000000), ref: 6C86501C
PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C86B60F,00000000), ref: 6C86504B
free.MOZGLUE(?,00000000,00000000,00000000,?,6C86B60F,00000000), ref: 6C865064

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 1112172411-0
Opcode ID: c34d249bb7efe1b2fb578dfbb49a2b00589541783427ba666bba3de8f3ce0b18
Instruction ID: dfc421a0bc219c7cc13fb97f1fa561322b9c0a344dde68fb05e6df2b3daeef2f
Opcode Fuzzy Hash: c34d249bb7efe1b2fb578dfbb49a2b00589541783427ba666bba3de8f3ce0b18
Instruction Fuzzy Hash: F5312AB0A05706CFDB11EF69C584A6ABBF4FF49304B154969D899D7B01E730E890CBD2

Function 6C874590 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000008,?,6C87473B,00000000,?,6C867A4F,?), ref: 6C87459B

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

TlsGetValue.KERNEL32(?,?,6C87473B,00000000,?,6C867A4F,?), ref: 6C8745BF
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C87473B,00000000,?,6C867A4F,?), ref: 6C8745D3
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C87473B,00000000,?,6C867A4F,?), ref: 6C8745E8

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$Alloc_CriticalEnterSectionUnlockUtilmalloc
String ID:
API String ID: 2963671366-0
Opcode ID: 7c29dee183ebcdcc5d8481f3d3abb186a049f85fadc5f02d8645eb3d6e836172
Instruction ID: 779536b40ad3d2c5cbdad35bb699ff1337cea4224b2c36eec74079917aab923d
Opcode Fuzzy Hash: 7c29dee183ebcdcc5d8481f3d3abb186a049f85fadc5f02d8645eb3d6e836172
Instruction Fuzzy Hash: 0D2106B0A01206ABEB209F69DE4456EBBB4FF86309F104935E848D7B10F731E954CBA1

Function 6C8104D0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 6C8104F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C81053B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C810558
GetLastError.KERNEL32 ref: 6C81057A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorFileHandleInformationLast
String ID:
API String ID: 3051374878-0
Opcode ID: af33e1c4e43940d46e1e592463f3b9f657b0510b2e21b1bc9db890f4646cff59
Instruction ID: 5e3fe8b51d4eccd511a60aab98f68ae9c11270c79a63cd302706448738e05c0e
Opcode Fuzzy Hash: af33e1c4e43940d46e1e592463f3b9f657b0510b2e21b1bc9db890f4646cff59
Instruction Fuzzy Hash: 44216271A002199FDB08DF98DD94AAEB7B8FF49314B108529E809DB351D731ED05CBA0

Function 6C892DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C892E08

Part of subcall function 6C8814C0: TlsGetValue.KERNEL32 ref: 6C8814E0
Part of subcall function 6C8814C0: EnterCriticalSection.KERNEL32 ref: 6C8814F5
Part of subcall function 6C8814C0: PR_Unlock.NSS3 ref: 6C88150D

PORT_NewArena_Util.NSS3(00000400), ref: 6C892E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C892E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C892E95

Part of subcall function 6C881200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C881228
Part of subcall function 6C881200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C881238
Part of subcall function 6C881200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C88124B
Part of subcall function 6C881200: PR_CallOnce.NSS3(6C982AA4,6C8812D0,00000000,00000000,00000000,?,6C8288A4,00000000,00000000), ref: 6C88125D
Part of subcall function 6C881200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C88126F
Part of subcall function 6C881200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C881280
Part of subcall function 6C881200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C88128E
Part of subcall function 6C881200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C88129A
Part of subcall function 6C881200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C8812A1

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: 32102ae12a56114be778e89942af9c4c27ea71c3a54fb92bb24090c2e5086512
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: 2921D4B1E013454BE720DF589E84BAE3764AF9130CF110679DD185BB43FBB5E6988292

Function 6C84ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C84ACC2

Part of subcall function 6C822F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C822F0A
Part of subcall function 6C822F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C822F1D

Part of subcall function 6C822AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C820A1B,00000000), ref: 6C822AF0
Part of subcall function 6C822AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C822B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C84AD5E

Part of subcall function 6C8657D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C82B41E,00000000,00000000,?,00000000,?,6C82B41E,00000000,00000000,00000001,?), ref: 6C8657E0
Part of subcall function 6C8657D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C865843

CERT_DestroyCertList.NSS3(?), ref: 6C84AD36

Part of subcall function 6C822F50: CERT_DestroyCertificate.NSS3(?), ref: 6C822F65
Part of subcall function 6C822F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C822F83

free.MOZGLUE(?), ref: 6C84AD4F

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 8cb8a41e3b699aecd7fef73584918f97c44caadd25e890bc348f51d6af756bfc
Instruction ID: 68e3a5e4d405fd70f1971009085b5bac448147728d8144698e39ddaace5f3c36
Opcode Fuzzy Hash: 8cb8a41e3b699aecd7fef73584918f97c44caadd25e890bc348f51d6af756bfc
Instruction Fuzzy Hash: 612108B1D002188BEB30DF68DA055EEB7B4EF05219F558878D8057BB00FB35AA59CBE1

Function 6C8624E0 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8624FF
EnterCriticalSection.KERNEL32(?), ref: 6C86250F
PR_Unlock.NSS3(?), ref: 6C86253C
PR_SetError.NSS3(00000000,00000000), ref: 6C862554

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: e9cb383345ed2e5d153ef8aae95944bd0ca41ebc808644f447cee76b00fe11c5
Instruction ID: 73fb5b75f15372805fc5d0b2eb4fc313f904723580b6f8519889525bb9110c0f
Opcode Fuzzy Hash: e9cb383345ed2e5d153ef8aae95944bd0ca41ebc808644f447cee76b00fe11c5
Instruction Fuzzy Hash: 0F112671E00118ABDB20AF68DD48AAB7B78EF0A328B554974EC0897701E731E954C7E2

Function 6C87ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C87F0AD,6C87F150,?,6C87F150,?,?,?), ref: 6C87ECBA

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C87ECD1

Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C8810F3
Part of subcall function 6C8810C0: EnterCriticalSection.KERNEL32(?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88110C
Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881141
Part of subcall function 6C8810C0: PR_Unlock.NSS3(?,?,?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C881182
Part of subcall function 6C8810C0: TlsGetValue.KERNEL32(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C87ED02

Part of subcall function 6C8810C0: PL_ArenaAllocate.NSS3(?,6C828802,00000000,00000008,?,6C81EF74,00000000), ref: 6C88116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C87ED5A

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 502d7779faadaec6979e03a12ae1e3f34cfe69b8c3de8e5c15bc949c342bb3e3
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: AA21F5B19017415FE320CF29DB44B95BBE4AF95349F25C625A81C87A51FB70E590C7E0

Function 6C8AEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C897FFA,?,6C899767,?,8B7874C0,0000A48E), ref: 6C8AEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C897FFA,?,6C899767,?,8B7874C0,0000A48E), ref: 6C8AEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C897FFA,?,6C899767,?,8B7874C0,0000A48E), ref: 6C8AEE14

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

memcpy.VCRUNTIME140(?,?,6C899767,00000000,00000000,6C897FFA,?,6C899767,?,8B7874C0,0000A48E), ref: 6C8AEE33

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: ae4cb0b425888146b2398e165fe52706baf3ddef6689b8cf30bb267bad9b7b79
Instruction ID: 61560a2be9125bcd36d8640e197e8fbc05b78269aacc9e1c9838d02dba2537e1
Opcode Fuzzy Hash: ae4cb0b425888146b2398e165fe52706baf3ddef6689b8cf30bb267bad9b7b79
Instruction Fuzzy Hash: E011C6B1A01716ABEB309EA9DEC4B06B3A8EF0035DF204D35E91982A40E331F475C7E1

Function 6C848DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C848DE7
EnterCriticalSection.KERNEL32 ref: 6C848DFC
PR_Unlock.NSS3 ref: 6C848E2D
PR_SetError.NSS3 ref: 6C848E49

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: d918d4d12148c8e0979af322ff6b99b5fd044d1823b68e86532225ecc863e321
Instruction ID: 88f2bbab4eb573b4c2422ac793a001defda4c62ae42bd452ef961640235e25e3
Opcode Fuzzy Hash: d918d4d12148c8e0979af322ff6b99b5fd044d1823b68e86532225ecc863e321
Instruction Fuzzy Hash: E0118FB16096149BD710AF78C54466ABBF4FF05314F118D69DC88D7B00E730E854CBD2

Function 6C8CAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C8B5F17,?,?,?,?,?,?,?,?,6C8BAAD4), ref: 6C8CAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C8B5F17,?,?,?,?,?,?,?,?,6C8BAAD4), ref: 6C8CACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C8BAAD4), ref: 6C8CACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C8BAAD4), ref: 6C8CACDB

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: b906783f3f941621908585deaf7f44d2c7e2265830019e1b808947568dab6118
Instruction ID: dd54c2bfd562805c13f6a362a4343e9566f6a00f021dfcb93804b48e71ca6a92
Opcode Fuzzy Hash: b906783f3f941621908585deaf7f44d2c7e2265830019e1b808947568dab6118
Instruction Fuzzy Hash: 86015EB5701B129BEB60DF2ADA08793B7E8BF0069AB114839D85AC3E00E735F454CB91

Function 6C88C590 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C88C5AD

Part of subcall function 6C880FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8287ED,00000800,6C81EF74,00000000), ref: 6C881000
Part of subcall function 6C880FF0: PR_NewLock.NSS3(?,00000800,6C81EF74,00000000), ref: 6C881016
Part of subcall function 6C880FF0: PL_InitArenaPool.NSS3(00000000,security,6C8287ED,00000008,?,00000800,6C81EF74,00000000), ref: 6C88102B

CERT_DecodeCertPackage.NSS3(?,?,6C88C610,?), ref: 6C88C5C2

Part of subcall function 6C88C0B0: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C88C0E6

CERT_NewTempCertificate.NSS3(?,00000000,00000000,00000001), ref: 6C88C5E0
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C88C5EF

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Arena_Util$ArenaCertCertificateDecodeErrorFreeInitLockPackagePoolTempcalloc
String ID:
API String ID: 1454898856-0
Opcode ID: cca1efb4c5a07bfdb38c288a8fd25419bcefb91883e48ad4e5944f3dca8df1de
Instruction ID: 867779d255d33aaa157930267a8613ab82d5730b66eb42418a3193a1516243fc
Opcode Fuzzy Hash: cca1efb4c5a07bfdb38c288a8fd25419bcefb91883e48ad4e5944f3dca8df1de
Instruction Fuzzy Hash: C401F2B1E012046BEB10AB68ED06EBF7B78DF01658F454539EC05AB782F731A908C6E1

Function 6C8807B0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C828298,?,?,?,6C81FCE5,?), ref: 6C8807BF

Part of subcall function 6C878800: TlsGetValue.KERNEL32(?,6C88085A,00000000,?,6C828369,?), ref: 6C878821
Part of subcall function 6C878800: TlsGetValue.KERNEL32(?,?,6C88085A,00000000,?,6C828369,?), ref: 6C87883D
Part of subcall function 6C878800: EnterCriticalSection.KERNEL32(?,?,?,6C88085A,00000000,?,6C828369,?), ref: 6C878856
Part of subcall function 6C878800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C878887
Part of subcall function 6C878800: PR_Unlock.NSS3(?,?,?,?,6C88085A,00000000,?,6C828369,?), ref: 6C878899

PL_HashTableLookup.NSS3(?,?), ref: 6C8807E6

Part of subcall function 6C8788E0: TlsGetValue.KERNEL32(00000000,?,?,6C8808AA,?), ref: 6C8788F6
Part of subcall function 6C8788E0: EnterCriticalSection.KERNEL32(?,?,?,?,6C8808AA,?), ref: 6C87890B
Part of subcall function 6C8788E0: PR_NotifyCondVar.NSS3(?,?,?,?,?,6C8808AA,?), ref: 6C878936
Part of subcall function 6C8788E0: PR_Unlock.NSS3(?,?,?,?,?,6C8808AA,?), ref: 6C878940

PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C88081B
PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C880825

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$CondCriticalEnterErrorHashLookupSectionTableUnlock$ConstNotifyWait
String ID:
API String ID: 2112424139-0
Opcode ID: cfa80130cc5241a3c9861d514e08593dc04632298bf0dbd22b8f453725f10e71
Instruction ID: f61e1105723efc07bf53bdd24aeff1c4854c1b08d166e4e4252a89cd9dacfd79
Opcode Fuzzy Hash: cfa80130cc5241a3c9861d514e08593dc04632298bf0dbd22b8f453725f10e71
Instruction Fuzzy Hash: 7FF0A9E6E1652027D7311769AD04C9B39A8DB8376DB580935EC04A3F12FB31D91896F2

Function 6C8824E0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6C85C154,000000FF,00000000,00000000,00000000,00000000,?,?,6C85C154,?), ref: 6C8824FA
PORT_Alloc_Util.NSS3(00000000,?,6C85C154,?), ref: 6C882509

Part of subcall function 6C880BE0: malloc.MOZGLUE(6C878D2D,?,00000000,?), ref: 6C880BF8
Part of subcall function 6C880BE0: TlsGetValue.KERNEL32(6C878D2D,?,00000000,?), ref: 6C880C15

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?), ref: 6C882525
free.MOZGLUE(00000000), ref: 6C882532

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ByteCharMultiWide$Alloc_UtilValuefreemalloc
String ID:
API String ID: 929835568-0
Opcode ID: e254913fe96a3f3fbe55d1d1cbe6c6366068799b2684ca344eb566d36db31095
Instruction ID: 90e3866f907051e32ba0426d58179d5ecec63271ccea380581eb0728763c777a
Opcode Fuzzy Hash: e254913fe96a3f3fbe55d1d1cbe6c6366068799b2684ca344eb566d36db31095
Instruction Fuzzy Hash: 7AF096B234712237FB20257A5D0DE7739ACDB43AF9B240631BD28C6AC0D954C811C1F1

Function 6C930660 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

PR_DestroyLock.NSS3(?,00000000,00000000,?,?,6C937B1B,?,?,?,?,?,?,?,?,?,6C93798A), ref: 6C930670

Part of subcall function 6C8E9EA0: DeleteCriticalSection.KERNEL32(?), ref: 6C8E9EAA

free.MOZGLUE(?,00000000,00000000,?,?,6C937B1B,?,?,?,?,?,?,?,?,?,6C93798A), ref: 6C930696
free.MOZGLUE(00000004,6C937B1B,?,?,?,?,?,?,?,?,?,6C93798A), ref: 6C9306C7
free.MOZGLUE(?,00000000,00000000,?,?,6C937B1B,?,?,?,?,?,?,?,?,?,6C93798A), ref: 6C9306E9

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: free$CriticalDeleteDestroyLockSection
String ID:
API String ID: 1785261712-0
Opcode ID: e41d0ec349178db409b741560638ea826fa8c964585789287e89a42db9ecf575
Instruction ID: ff76d77bbe6fbe81f464304dd2e530815d8c4e0b0eb18a1786694c4a9dbd99e4
Opcode Fuzzy Hash: e41d0ec349178db409b741560638ea826fa8c964585789287e89a42db9ecf575
Instruction Fuzzy Hash: 69118CF470B2219FEF04CF19C985B0A37B8EB8734DF285625E45987618C771E805CBA9

Function 6C8CAC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6C8B5D40,00000000,?,?,6C8A6AC6,6C8B639C), ref: 6C8CAC2D

Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE10
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE24
Part of subcall function 6C86ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C84D079,00000000,00000001), ref: 6C86AE5A
Part of subcall function 6C86ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE6F
Part of subcall function 6C86ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AE7F
Part of subcall function 6C86ADC0: TlsGetValue.KERNEL32(?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEB1
Part of subcall function 6C86ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C84CDBB,?,6C84D079,00000000,00000001), ref: 6C86AEC9

PK11_FreeSymKey.NSS3(?,6C8B5D40,00000000,?,?,6C8A6AC6,6C8B639C), ref: 6C8CAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C8B5D40,00000000,?,?,6C8A6AC6,6C8B639C), ref: 6C8CAC59
free.MOZGLUE(8CB6FF01,6C8A6AC6,6C8B639C,?,?,?,?,?,?,?,?,?,6C8B5D40,00000000,?,6C8BAAD4), ref: 6C8CAC62

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 14638b140c41ae8f7400f4e7e1479570c1bf362112e2d9a16a0c7750d0c64bbb
Instruction ID: 4e1f1906e3deb455f0d0fcbb6b455d9a2d8a66a50e4e5f98d5cda149cf449026
Opcode Fuzzy Hash: 14638b140c41ae8f7400f4e7e1479570c1bf362112e2d9a16a0c7750d0c64bbb
Instruction Fuzzy Hash: CC017CB56012109BDF20CF19EAC0B8677ACAB1475DF188478E9098F706D731E804CBA2

Function 6C89A710 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

PK11_DestroyContext.NSS3(?,00000001,-00000001,?,6C8C186B,?), ref: 6C89A738

Part of subcall function 6C84CD80: free.MOZGLUE(?,6C84D079,00000000,00000001), ref: 6C84CDA5
Part of subcall function 6C84CD80: PK11_FreeSymKey.NSS3(?,6C84D079,00000000,00000001), ref: 6C84CDB6
Part of subcall function 6C84CD80: SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C84D079,00000000,00000001), ref: 6C84CDCF
Part of subcall function 6C84CD80: DeleteCriticalSection.KERNEL32(?,6C84D079,00000000,00000001), ref: 6C84CDE2
Part of subcall function 6C84CD80: free.MOZGLUE(?), ref: 6C84CDE9

PK11_DestroyContext.NSS3(?,00000001,-00000001,?,6C8C186B,?), ref: 6C89A757
PK11_DestroyContext.NSS3(?,00000001,-00000001,?,6C8C186B,?), ref: 6C89A776
PK11_DestroyContext.NSS3(?,00000001,-00000001,?,6C8C186B,?), ref: 6C89A795

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: K11_$ContextDestroy$free$CriticalDeleteFreeItem_SectionUtilZfree
String ID:
API String ID: 3138553132-0
Opcode ID: 492b612786a5ec9ed6f512fb0ce52e46a673138c3700f546dfff5c578f687e19
Instruction ID: fe8f0c5a4b0543f8247b8284f8393dbde715656cea7064f80b197d2e1aebd48b
Opcode Fuzzy Hash: 492b612786a5ec9ed6f512fb0ce52e46a673138c3700f546dfff5c578f687e19
Instruction Fuzzy Hash: 24011EF0A107006BE7309A399D857C77BEC6B05609F004C2CE6ADDB681E775B0488B64

Function 6C8B0450 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(40C70845,?,6C8B4710,?,000F4240,00000000), ref: 6C8B046B
GetLastError.KERNEL32(?,6C8B4710,?,000F4240,00000000), ref: 6C8B0479

Part of subcall function 6C8CBF80: TlsGetValue.KERNEL32(00000000,?,6C8B461B,-00000004), ref: 6C8CC244

PR_Unlock.NSS3(40C70845,?,6C8B4710,?,000F4240,00000000), ref: 6C8B0492
PR_SetError.NSS3(FFFFE89D,00000000,?,6C8B4710,?,000F4240,00000000), ref: 6C8B04A5

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Error$LastMutexReleaseUnlockValue
String ID:
API String ID: 4014558462-0
Opcode ID: 0b72307a2d50be43fe9f1d6fe1a6604e1153e996e3541a3a93f7b3131b9180c6
Instruction ID: 76e0f543c3e69f3132608e5c7f30b994f1a97beca7f942f3a9f9ec90810f5447
Opcode Fuzzy Hash: 0b72307a2d50be43fe9f1d6fe1a6604e1153e996e3541a3a93f7b3131b9180c6
Instruction Fuzzy Hash: BEF0B4F0B147455BEB20ABB99F58B1BB2A99B0130DF148C74E80AE7F51EB31E4448522

Function 6C8487E0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

PK11_GetCertFromPrivateKey.NSS3(?), ref: 6C8487EA
PK11_DestroyTokenObject.NSS3(?,00000000), ref: 6C848809
CERT_DestroyCertificate.NSS3(00000000), ref: 6C848818
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C848821

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Destroy$K11_Private$CertCertificateFromObjectToken
String ID:
API String ID: 3228624125-0
Opcode ID: ac916d6c03ed572d4810efe894036a746260e874c6db0241746666bb94f464c0
Instruction ID: 6fcc44b0889f0cf2851e1a151e1280663ae88e02a2088af683ef27c942488e77
Opcode Fuzzy Hash: ac916d6c03ed572d4810efe894036a746260e874c6db0241746666bb94f464c0
Instruction Fuzzy Hash: 5BE0E5B7D0122C27D632196ABE40A8A361C8B8567DF089A31ED099A742F729DD1983E1

Function 6C93CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C93CC61
free.MOZGLUE ref: 6C93CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C93CC80
free.MOZGLUE(?), ref: 6C93CC87

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: d9aca900fe83881b00c180c7aee3b3aec23dadd0f2ff98475921c277be8240b7
Instruction ID: dffbb41590288d7a222d47ab502df36c65a89d987949d6dd72711b66b95eec73
Opcode Fuzzy Hash: d9aca900fe83881b00c180c7aee3b3aec23dadd0f2ff98475921c277be8240b7
Instruction Fuzzy Hash: 07E030767056189BCF10EFA8DC4488677ACEF492713150525F691D3700D231F905CBE1

Function 6C874D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C874D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C874DE6

Strings

%d.%d, xrefs: 6C874DDE

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: 9a7d58f5341488f0cbd49d695cbcc3f00f020c5663f5e6784a497b770301c4bb
Instruction ID: 3193662670e46363540d71a0180e3aa0433f971b8abb62180879d793171ca126
Opcode Fuzzy Hash: 9a7d58f5341488f0cbd49d695cbcc3f00f020c5663f5e6784a497b770301c4bb
Instruction Fuzzy Hash: 873109B2D042186BEB309B649D05BFF7A68DF81308F150829EC5597641FB709915CBB1

Function 6C810F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

PR_GetPageSize.NSS3(6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F1B

Part of subcall function 6C811370: GetSystemInfo.KERNEL32(?,?,?,?,6C810936,?,6C810F20,6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000), ref: 6C81138F

PR_NewLogModule.NSS3(clock,6C810936,FFFFE8AE,?,6C7A16B7,00000000,?,6C810936,00000000,?,6C7A204A), ref: 6C810F25

Part of subcall function 6C811110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6C810936,00000001,00000040), ref: 6C811130
Part of subcall function 6C811110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6C810936,00000001,00000040), ref: 6C811142
Part of subcall function 6C811110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6C810936,00000001), ref: 6C811167

Strings

clock, xrefs: 6C810F20

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: InfoModulePageSecureSizeSystemcallocstrdup
String ID: clock
API String ID: 536403800-3195780754
Opcode ID: 66efaf1076d77b5b780ef8ff377f7b9b1a20893d221211b7e7e5343b05e9b170
Instruction ID: 13dd92a59d86cd3c8fb6214e2758ef2d7f0533a92e2fbb47f1d13b710d7f6edb
Opcode Fuzzy Hash: 66efaf1076d77b5b780ef8ff377f7b9b1a20893d221211b7e7e5343b05e9b170
Instruction Fuzzy Hash: F5D0223160C18495C7206A6B9C44BAAF2ECC7D327DF200C32E00843D000A3880EAE265

Function 6C880DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C880DF5
TlsGetValue.KERNEL32 ref: 6C880E2D
TlsGetValue.KERNEL32 ref: 6C880E58
TlsGetValue.KERNEL32 ref: 6C880E84

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: a75f24bfbb2eed2d6a522de3d6d7368536922e02b98f3e9f22d528dcbb8495f3
Instruction ID: 88dc32b23cff8385f2055ef1fa7533baf46be73b8727ead8305bb0b1c0a12501
Opcode Fuzzy Hash: a75f24bfbb2eed2d6a522de3d6d7368536922e02b98f3e9f22d528dcbb8495f3
Instruction Fuzzy Hash: 2A31B27064B785CBDB206F7CCA8426A7BB4BF06308F154E69D89887E21DB308495CBA1

Function 6C7DA4E0 Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,6C7DA468,00000000), ref: 6C7DA4F9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C7DA468,00000000), ref: 6C7DA51B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C7DA468,?,6C7DA468,00000000), ref: 6C7DA545
memcpy.VCRUNTIME140(00000001,6C7DA468,00000001,?,?,?,6C7DA468,00000000), ref: 6C7DA57D

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction ID: 625ea41c0d325b64fb14db8e0b5861a096c8eb99034ff8e8bf82871f3e9f2e15
Opcode Fuzzy Hash: 600eb8a033a5ca9a43437b08be08586c367961074f3215d643a34829541b8b4a
Instruction Fuzzy Hash: 351136B3D0031557DB008DB99C85AAB7799AFA5278F290234ED2A873C0F335E90882E1

Function 6C880F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C822AF5,?,?,?,?,?,6C820A1B,00000000), ref: 6C880F1A
malloc.MOZGLUE(00000001), ref: 6C880F30
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C880F42
TlsGetValue.KERNEL32 ref: 6C880F5B

Memory Dump Source

Source File: 00000009.00000002.2673668635.000000006C7A1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6C7A0000, based on PE: true

Associated: 00000009.00000002.2673519793.000000006C7A0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674089106.000000006C93F000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674219636.000000006C97E000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674363480.000000006C97F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674433408.000000006C980000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000009.00000002.2674509062.000000006C985000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c7a0000_32ff2fbd90.jbxd

Similarity

API ID: Valuemallocmemcpystrlen
String ID:
API String ID: 2332725481-0
Opcode ID: 857aba372748ea5e296f59e2d2b7d8fdb27da83293e02ab0f87616dd31f0eca5
Instruction ID: 307c8438b9ccaa2780ea58566872f4d5c9ebd84d8ac9b54dd8f76bdb017b1be4
Opcode Fuzzy Hash: 857aba372748ea5e296f59e2d2b7d8fdb27da83293e02ab0f87616dd31f0eca5
Instruction Fuzzy Hash: CB01F5B1A076949BE7302B3E9E045627AACEF52259B144931E81CC6E61E731C81482E2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DRWgoZo325.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\DBKKFCBA

C:\ProgramData\ECAFHIIJJECGDHIEGDAK

C:\ProgramData\GDBFHDHJ

C:\ProgramData\JEHIJJKEGHJJKECBKECF

C:\ProgramData\freebl3.dll

C:\ProgramData\mozglue.dll

Windows Analysis Report
DRWgoZo325.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre